David Gibb The Payment Card Industry, or PCI, has a number of ways in which it accounts for the costs of preventing fraud. Any organization that accepts payment via cards (credit, debit, etc.) must adhere to the Payment Card Industry Data Security Standard (PCI DSS). In order to stay in compliance and cover costs, payment processors employ a number of different fees, penalties, and fines that vary in frequency and size.
For some, PCI non-compliance fees can be factored into the cost of doing business. However, many organizations prioritize PCI compliance so they don’t end up with unnecessary penalties cutting into their bottom line.
More and more organizations looking to eliminate these costly fees are turning to PCI compliant web hosting as a solution to bolster their security, speed, and efficiency. This guide examines what PCI compliance fees are, why they matter, and how they can be kept to a minimum.
Key points
- PCI non-compliance fees are monthly charges ($20-$60) imposed by payment processors on businesses that fail to meet Payment Card Industry security standards, with potential fines reaching up to $500,000 for security breaches.
- Only 43% of American businesses are currently PCI compliant, leaving the majority at risk of penalties, security breaches, and increased liability, highlighting the urgent need for better security measures.
- Achieving PCI compliance requires following specific steps, including determining your compliance level, completing self-assessments, conducting regular security scans, and maintaining ongoing compliance through proper documentation and security practices.
What are PCI non-compliance fees?
PCI non-compliance fees are monthly charges imposed by payment processors on businesses that fail to meet Payment Card Industry (PCI) security standards. These fees typically range from $20 to $60 per month, depending on the processor and the business’s transaction volume.
These fees are triggered by:
- Failure to complete annual PCI self-assessment questionnaires.
- Missing quarterly network security scans.
- Not maintaining required security protocols (like encryption and firewalls).
- Incomplete validation of compliance status.
- Failure to report and document security measures.
- Not addressing identified security vulnerabilities.
Payment processors issue these fees both to protect themselves from potential fraud risks and to motivate businesses to maintain PCI compliance. The fees continue until the business demonstrates full compliance with PCI DSS requirements appropriate for their transaction level.
How to avoid PCI non-compliance fees
The easiest way to avoid unnecessary PCI fees and fines is to remain in compliance with PCI DSS. This can be achieved by staying up-to-date with your self-assessments, performing proactive in-house audits, and prioritizing PCI compliant web hosting.
PCI DSS Compliance Made Easy – Cybersecurity Tip from Liquid Web
Fully compliant web hosting from Liquid Web is flexible, reliable, and fast. No matter what industry you’re in, our single-server, cloud-based, and hybrid solutions can help you achieve your PCI goals.
Still, you may be subject to monthly fees and charges from your payment processing company, which is why it’s important to always review each processor’s fee structure before deciding on your payment processing partner. If a processor has promised no fees and you find out otherwise down the road, consider making the change that’s best for your business.
How to achieve PCI compliance
Determine your compliance level
The first step toward PCI compliance is identifying your compliance level, which is based on your annual transaction volume. There are four levels of PCI compliance, ranging from Level 1 (over 6 million transactions annually) to Level 4 (fewer than 20,000 e-commerce transactions annually). Your level determines the specific requirements and validation procedures you’ll need to follow.
Complete Self-Assessment Questionnaire (SAQ)
The Self-Assessment Questionnaire is a crucial document in your compliance journey. Different business types require different SAQ versions, labeled A through D. The questionnaire you’ll complete depends on how your business processes payments. For instance, e-commerce businesses using third-party processors complete a different SAQ than businesses with in-person transactions. Complete this assessment thoroughly and honestly, as it forms the foundation of your compliance documentation.
Conduct security scans
Regular security scanning is mandatory for PCI compliance. You’ll need to work with an Approved Scanning Vendor (ASV) to conduct quarterly vulnerability scans of your systems. These scans examine all external-facing IP addresses for potential security weaknesses. When vulnerabilities are found, address them promptly and maintain detailed records of all scan reports and remediation efforts.
Implement security best practices
Security best practices form the core of PCI compliance. This includes installing and maintaining firewalls, implementing strong password policies, and encrypting cardholder data during transmission. Your business must also maintain up-to-date anti-virus software and restrict access to cardholder data, both physically and digitally. Regular system testing and monitoring of network access ensure these security measures remain effective.
Maintain ongoing compliance
PCI compliance isn’t a one-time achievement—it requires ongoing attention and maintenance. Create a comprehensive schedule for regular compliance tasks and ensure all employees are trained on security protocols. Document every security incident and response, and regularly review and update your security measures.
For example, many fintech and online lending platforms now implement additional layers of fraud protection, including robust tools for anti money laundering for digital lenders, to remain compliant and reduce exposure to financial crime risks. Staying informed about updates to PCI DSS requirements is crucial for maintaining compliance.
Submit compliance documentation
The final step is submitting your compliance documentation to your payment processor. This includes your completed SAQ, proof of passing vulnerability scans, and an Attestation of Compliance (AOC). Keep copies of all submissions for your records and respond promptly to any follow-up requests from your processor. Proper documentation demonstrates your commitment to security and helps avoid non-compliance fees.
Take action: Ensure PCI compliance with Liquid Web’s secure hosting solutions
PCI compliance is a critical aspect of modern business operations, protecting both your company and your customers from potential security breaches and fraud.
While the process may seem complex, understanding and addressing PCI non-compliance fees is essential for maintaining a secure and profitable business. By following the compliance steps outlined above and working with trusted partners, you can establish and maintain the security standards required by the payment card industry.
The foundation of PCI compliance often starts with your hosting environment. Liquid Web’s PCI compliant hosting solutions provide the secure infrastructure you need to protect sensitive payment data and maintain compliance requirements with confidence.
Learn more about PCI Compliant Hosting with Liquid Web and take the first step toward eliminating non-compliance fees while protecting your business and customers.
FAQs
1. How are PCI compliance fees calculated?
PCI compliance fees are set individually by each payment processor. There are no regulations in place saying processors must not charge this or that, so compliance fees are entirely up to each processing company. In turn, you will see many different amounts and structures for compliance fees.
Most PCI compliance fees will be in the $10-$40 range. But again, some processors don’t charge them at all, while others can have fees as high as $100. Oftentimes, you will see processors attempt to incorporate their fee structure into their brand’s marketing. Popular slogans like “additional services, no fees” may hint at a processor’s approach to PCI non-compliance charges.
Of course, compliance fees are not the only charges you’ll see on your monthly statement from your processor. Much of their profit is made from percentage-based transaction fees. Set by each major credit card company, these transaction fees are often passed on by the processor in order to cover the cost. Transaction fees tend to vary between 1% and 3% of each payment processed.
2. Why do processors charge PCI compliance fees?
Processors charge fees for a few reasons that can range from profit to insurance. While many of the criticisms of bloated fee structures from processors may be valid, many fees have a purpose and directly cover the cost of doing business.
Processing payment cards requires assuming immense risks. While each party – consumer, business, processor, and bank – plays a part in a transaction, it’s ultimately the processor that is left holding the bag if fraudulent activity occurs.
3. What are the types of PCI non-compliance fees?
There are three main types of PCI-related charges that businesses may encounter:
- PCI non-compliance fees: Monthly charges (typically $20-$60) imposed when a business fails to prove PCI compliance through required documentation, quarterly network scans, or annual self-assessments.
- PCI compliance fees: Smaller charges some processors assess to cover the cost of compliance-related services, such as network scanning and validation support. Not all processors charge these fees.
- PCI compliance fines: Large, one-time penalties issued when security breaches occur due to compliance violations. These are typically the most severe and costly of all PCI-related charges.
While compliance fees can often be avoided by choosing the right payment processor, non-compliance fees and fines are standardized penalties for failing to meet PCI security requirements.
4. How can I assess my website’s current PCI compliance level?
To determine your website’s PCI compliance level, start by calculating your annual transaction volume. Level 1 businesses process over 6 million transactions yearly, Level 2 handles 1-6 million transactions, Level 3 processes 20,000-1 million eCommerce transactions, and Level 4 covers businesses with fewer than 20,000 e-commerce transactions annually.
Next, access your payment processor’s compliance portal. This platform typically provides access to your Self-Assessment Questionnaire (SAQ), current compliance status, recent security scan results, and any outstanding compliance requirements that need addressing.
Conduct a preliminary security assessment by examining your current security measures. This includes verifying your firewall implementation, encryption protocols, password policies, data storage practices, and overall network security measures. These elements form the foundation of PCI compliance and will give you a clear picture of where you stand.
5. What happens if I’m not PCI compliant?
Non-compliance with PCI DSS requirements can have serious financial and operational consequences for your business. The immediate impact is monthly non-compliance fees from your payment processor, which continue until you achieve compliance.
More severe consequences occur if a security breach happens while you’re non-compliant. Your business may face substantial fines from payment card brands, ranging from thousands to hundreds of thousands of dollars, depending on the violation’s severity and the number of compromised records. Your payment processor might also increase your transaction fees or terminate your merchant account entirely.
6. Is PCI compliance mandatory?
PCI compliance exists in a unique space between contractual obligations and legal requirements. While there is no federal law mandating PCI compliance in the United States, it is effectively required through several mechanisms.
First, PCI compliance is mandatory through contractual obligations with credit card companies and payment processors. If you want to accept credit card payments, you must agree to follow PCI DSS requirements as part of your merchant agreement. Non-compliance can result in fines ranging from $5,000 to $500,000 per incident, and you may lose your ability to process credit card payments entirely.
Some states have taken steps to incorporate PCI standards into law. Minnesota prohibits storing certain payment card data beyond 48 hours, Nevada explicitly requires PCI DSS compliance and offers liability protection, and Washington provides liability shields for compliant businesses. These state-level requirements add legal weight to compliance obligations in these jurisdictions.
The enforcement structure involves multiple parties: the PCI Security Standards Council sets the standards, while credit card networks and payment processing companies enforce them. Non-compliant businesses risk financial penalties and placement on the Member Alert to Control High-Risk Merchants (MATCH) List, which can severely impact their ability to process payments.
7. What share of websites are already PCI compliant?
According to Verizon’s 2023 Payment Security Report, only 43% of American businesses currently maintain PCI compliance, revealing a concerning gap in payment security standards. This surprisingly low compliance rate represents a significant risk for both businesses and consumers in the digital payment ecosystem.
The majority of businesses (57%) operating without proper PCI compliance face multiple risks:
- Greater liability in case of security incidents.
- Monthly non-compliance fees from payment processors.
- Potential penalties ranging from $5,000 to $100,000 per month.
- Increased vulnerability to data breaches and cyber attacks.