• Page :
  • 1
  • Text Only
Voting History
rated:
Got a letter from my merchant cedit card processing company that does not seem to pass the smell test. The letter states that Mastercard/Visa/Discover etc are requiring all merchants to be PCI/DSS compliant and that to do so I need to pay a $150.00 annual fee to a company called Security metrics. Furthermore there could be additional fees of $25.00 or more assesed by the merchant processors. The whole think looks like a scam. My merchant processor says he knows abotu the letter and he will see what he cap do. Does anyone out there know about crap.

Rob

Member Summary
Quick Summary is created and edited by users like you... Add FAQ's, Links and other Relevant Information by clicking the edit button in the lower right hand corner of this message.

Do you use First Data?

https://www.pcisecuritystandards.org/saq/index.shtml

fill out a SAQ and you're compliant (if the answers are not "yes, we hand other customers credit card numbers to anyone that asks")

mastercard/visa are requiring outside auditors for high tier merchants (eg. WalMart.com, TJ Maxx, etc), but frequently

change processing company if they're requiring it of you

It probably is not that simply if OP has a website.

you'd be surprised how bullshit PCI-DSS really is.

juliox said: you'd be surprised how bullshit PCI-DSS really is.BS or not, the OP may still be legally required to comply or face charges..Whether or not he falls under the "must comply" category is up in the air.

It's BS. They made me fill out a questionnaire or something. If they want $150 from you change providers. I'm with First Data and haven't yet gotten one of these.

I think its a First Data BS charge, after I changed to Nova/Elevon I haven't had to deal with it.

t60 said: BS or not, the OP may still be legally required to comply or face charges..Whether or not he falls under the "must comply" category is up in the air.

This response shows that you have no idea with PCI is. This isn't SOX, this isn't a legal requirement, there is no jailtime or charges for not upholding the PCI Data Security Standard

Specifically, this is a requirement by the CREDIT CARD companies. Some states have taken small subsets of PCI and made them law - for example NY no longer allowing you to print credit card numbers on receipts as of 2002/2003 (before PCI existed...)

So the reason I said he doesn't need to do it is reinforced by the link below:
http://usa.visa.com/merchants/risk_management/cisp_merchants.html


Unless he already knows what PCI is, the OP does NOT fall ABOVE Level 4, defined as:
Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually

And the requirements for a level 4:
Annual SAQ recommended
Quarterly network scan by ASV if applicable
Compliance validation requirements set by acquirer


In this case - this $150 fee and the associated 5 minute phone call from the auditor is possibly that "Compliance validation requirements set by acquirer", which would be your processing company. You can consider this fee $150 extra merchant processing fees for the year, as it is in no way legally required - you really need nothing at all at level 4.

nhokt said: I think its a First Data BS charge, after I changed to Nova/Elevon I haven't had to deal with it.
I got this same letter from Elavon about a month ago. We have 4 accounts with them, but we only got the letter on one account.

Usually the merchant has an account with the audit company and covers the bill. I have yet to get charged for security metrics. You should be assessed the fee/fine (~$25) if you are not PCI certified.

If you are not PCI complaint, they will hold you responsible for damages for a breach. Without knowing how much your process, where you process (Terminal vs software vs internet), we won't know the level and whether or not its required.


If anything holding cardholder data touches the internet, you need to have a quarterly scan. You also need to follow whatever your processor wants, pretty much, or find a new one.

I use pccharge software to process customer charges. We are a B2B company. We do not process more than 20K transactions per year. We have a decent average order but we probably do no more than 5000 transactions per year. I appreciate any comments. This stuff is getting to be total BS. I am getting very tired of overcharges and nonsense from my processor who "isnt making any money money on me" (according to him very little money.

Rob

robertw477 said: I am getting very tired of overcharges and nonsense from my processor who "isnt making any money money on me" (according to him very little money.

Can you change vendors? That's one of the most aggravating comments that a vendor can say to you. First, it shows that they aren't even pretending anymore that they're in the business to serve you. That's bad. Their customer service will be terrible. And they're going to try and nickel and dime you to death.

There are other companies that'll be happy to take your money, and make you feel good doing so. I'd go with them.

All these merchant companies are shady. Tons of bait and switch. All sorts of bs charges. They always claim that mastercard and visa are raising their rates etc. Totally aggravating. All these banks try to get my business but once I ask a few tough questions they usually get lost.

Rob

It all seems to be crab. You don't have to pay anything.Merchant account maintanence does not require or include any processing or monitoring fees.

okay



Disclaimer: By providing links to other sites, FatWallet.com does not guarantee, approve or endorse the information or products available at these sites, nor does a link indicate any association with or endorsement by the linked site to FatWallet.com.

Thanks for visiting FatWallet.com. Join for free to remove this ad.

TRUSTe online privacy certification

While FatWallet makes every effort to post correct information, offers are subject to change without notice.
Some exclusions may apply based upon merchant policies.
© 1999-2014