(Add your own)Comments

• Rich on October 27th, 2008 at 12:59 pm

  This PCI compliance is a massive scam!

  I signed up for my Virtual Terminal merchant account back in August of this year. I have processed $140 dollars TOTAL to date.

  All of a sudden I get a letter from First Data telling me I have to be PCI compliant or be charged $19.95 a month until I comply and be fined up to $350 a year!!

  I called Security Metrics to do the survey and they inform me that the charge is $139.00. Of course, the salesman at First Data never mentioned this PCI Compliance crap or how much it might cost. Neither did the letter. On top of it all, since I have made a transaction on my account I have to pay $350 just to cancel my account.

  This is like being extorted by the mob! There is no way to fight back either. It is “pay or else”…

  Merry Christmas from PCI and First Data!

• wurliuchi on November 15th, 2008 at 4:24 pm

  I, too, think this is a rip-off. If you’re not compliant it costs you $19.95 per month. How is that going to make cardholder information more secure? It’s not. They just want the money. Have you tried to pass these free evaluation security scans by one of the PCI Security companies? They make it impossible unless you sign up with them. I think these companies are owned by the Credit Card companies. Maybe not directly, but the money gets back to them somehow. How did all these companies sprout up all of the sudden? It’s all a big scam aimed mostly at small businesses.

• Lucy on December 24th, 2008 at 11:15 am

  I agree that PCI DSS compliance fees are a rip off. My credit card company processing company claimed that compliance is a federal mandate. Its mandated by VISA, MC and the like. When I attempted to complete my SAQ questionnaire, no one (my bank, card processor, or the pci compliance software company involved) knew what to do with it. So, who are the pci dss police? How are we as merchants protected? So the bank card companies get richer, the pci compliance providers get richer. Imagine if everyone stopped using credit cards.

• jestep on December 24th, 2008 at 12:00 pm

  The PCI-DSS police are basically Visa/MC/AMEX/Discover. I recently heard a story of Amex charging $50,000 per month for non-compliance.

  As far as protection goes, merchants aren’t protected in any way, even if they are PCI compliant. They are still completely responsible for lost cardholder data, whether compliant or not. PCI does not secure anything, and it doesn’t guarantee anything.

• Chris on January 8th, 2009 at 12:29 pm

  Jestep wrote:
  PCI does not secure anything, and it doesn’t guarantee anything.

  Yes it does – it provides CYA for everybody above us end users in the food chain!

  My payment processor, Pipeline Data Processing, is going to charge me $150/yr to “assure my compliance”. According to the SBA, there are 23 MILLION small businesses in the US; assuming 1/2 take credit cards, my question is: where is the $150×11,500,000 = $1.72 BILLION/yr going?

• Ted on January 13th, 2009 at 6:29 pm

  We operate a small business (<$40K/year CC sales) and our customers are other businesses. her is how we deal with the whole issue of “compliance”. We only use a virtual terminal to enter CC data, and we do not store any customer CC data on any of our systems. Even so, we get nicked $40 a year for their bogus compliance fee!

• jestep on January 13th, 2009 at 7:15 pm

  Yes it does – it provides CYA for everybody above us end users in the food chain!

  What’s unfortunate is that PCI doesn’t CYA for anything. A business is still fully liable for damages from a data breach. PCI does nothing more than show that a business protected against some of the more common areas that breaches occur in.

• Jeff Frey on February 3rd, 2009 at 12:44 pm

  Here is my story in the form of the e-mail that I sent to First Data yesterday:

  Dear First Data,

  On Jan 16th, my other business, Waters of Superior, went through Security Metrics to become certified as CPI compliant. I called that same day to do the same for CPL Imaging and happened to ask if there was a way to become compliant without paying another $24.99. I was told, sure just download the appropriate self-assessment questionaire (from http://www.pcisecuritystandards.org), fill it out, and fax it to First Data.

  On Saturday I called First Data customer service to find the fax number for the completed form. (Of course I had to get this done since it was the last day of January and I didn’t want to be hit for another $20 from First Data for a February of non-compliance.) I was told that I had been misinformed, that I am only able to certify through a third party like Security Metrics.

  So I called Security Metrics back to hear that First Data is wrong and I should fax it to (801)xxx-xxxx which I did on Saturday, Jan 31.

  Today I got a call from Security Metrics telling me that I should not have been told to fax it to the above (because that is their fax #), but rather I should fax to (954) xxx-xxxx which is First Data’s number.

  So, I called First Data again to tell the customer service person that I am about to fax to First Data based on what Security Metrics had insisted to be correct. I was told that First Data cannot deem me compliant without a third party, put on hold for a very long time and told the same thing again. I asked if I could to talk to somebody at First Data who really knows how this PCI thing works and was told that there is no such person.

  I called Security Metrics back and was told that the people that I talk to at First Data are just customer service people who do not know about PCI, that First Data has to accept my fax and certify me. They couldn’t give me a name, but did share this e-mail address.

  Obviously I have spent much more of my time than the quick $24.95 it would have cost me and it is still not resolved. And now it’s February.

  I am prepared to fax my completed 8-page questionaire to (954) xxx-xxxx, but would like to hear from somebody who knows the score. Please respond with some good news.

  Thank you,

• Steve Wolgemuth on February 17th, 2009 at 9:17 pm

  I had several merchant accounts with First Data. I only used their virtual terminals when accepting credit cards but was told that any computer that I would ever access First Data’s YourPay site from, would need to be scanned for PCI compliance. Since YourPay makes their site available to any IP address in the world, and I travel and manage my business from many locations – I could not provide every IP address to scan, nor was it a reasonable request since YourPay services were not IP restricted. Further, I have private (not credit cards) information about clients on my home-business computers, and would not allow a 3rd party (Security Metrics) to “scan my computers,” especially because it was not a reasonable request. I asked to be excused from my contract and closed my accounts. With each request my accounts were closed instantly, but I was charged another month of account fees AND more non-compliance fees for accounts I didn’t have open. Today, I had $500 dollars taken from my last account (closed last month) as a penalty for early termination (I had it for more than two years). I have one thing to tell anyone who reads this – investigate Websites Payment Pro – a new product developed by Paypal in reaction to First Data’s terrible treatment of customers like us (my opinion). Guess what folks? One flat fee for ALL types of cards (no surprises for corporate cards), no set up fee, no penalty for closing early – and they take AMEX. I really like their web interface MUCH better than having to figure out all the random deductions that First Data took from my account. Good luck to all who want to stick around and take First Data’s abuse. I’m outa here, and keeping my ear to the ground for the class action law suit.

• Jamie Estep on February 18th, 2009 at 9:01 am

  Websites Payment Pro is not new. Paypal has offered it for at least five years now. On that topic, there’s a good reason that Paypal is still barely a competitor when it comes to businesses. Their support is terrible. They freeze accounts, sometimes permanently, without any warning. Search around the internet for stories about Paypal account limiting policies. For every bad story you can find about a credit card processor, you can find 20 about paypal. I would never trust my business’s ability to process solely on Paypal. Relying only on Paypal is like throwing dice.

• Meterstick on February 25th, 2009 at 10:38 am

  Hello EVERYONE!!!!!!

  Hate to be the Devils Advocate, but I love Security Metrics. They helped me become PCI compliant and it took 5 minutes!

  The charges are dictated by how you initially filled out your contract with FDMS. From my understanding FD customers have a couple of options.
  1- you signed a contract that allow FDMS to charge you an annual fee so that when you call Security Metrics they will NOT obtain a credit card number and you just need a password.

  2 – FDMS doesn’t charge you an annual fee, which is cheaper, but Security Metrics will need to get a Credit Card # and charge ; validation type 1,2, and 3 type businesses 24.99 a year.

  3 – Validation type 4 and 5 is 139.99.

  4 – Security Metrics can explain to you how to go about the free version, but as mentioned above it can be a hassle. The reason that the person above had such an issue is b/c (IMHO) there was some teaching/training issues on part of the FDMS rep. Security Metrics does know how to do PCI compliance, if you call and ask them, they’ll tell you, that is all they do! They are right. Security Metrics works with a specific liaison from not only FDMS but hundreds of other Merchant Processors. So the info they give you comes straight from the top.

  When I called Security Metrics for my business it really did take five minutes.

  DOES IT HELP!!! yeah, look at there website, http://www.securitymetrics.com and right on there home page they have a link that shows you recent news about businesses that have had credit card compromises. Had they have been PCI compliant they wouldn’t have any issues. The whole problem in the entire US and UK business world is that no one will admit that they could be at fault. It is just like not wearing a seat belt, sure you can be a good driver but that doesn’t mean someone isn’t going to smash into your car! So you wear a seat belt!

• Craig on March 12th, 2009 at 11:14 pm

  Just go back to accepting cold hard Cash! Screw these companies with their PCI garbage!

• Brock on April 14th, 2009 at 10:53 am

  We don’t do any internal processing. Everything is done through YourPay.com 700 transactions per year. Still had to do the pci compliance to get rid of the recurring monthly pci failure charges. SCAM

• Joe on April 16th, 2009 at 6:45 pm

  I believe in protecting card data, but PCI is killing small businesses. Over compensating rules like only allowing one service per server pretty much gaurantees that many small businesses won’t be able to comply. Add to that the fact that most Cloud service providers won’t provide their customers with a binding contract indicating responsibility for card data, and small business has no hope.

  If card companies really wanted to solve this problem, all they have to do is provide merchants with a card data storage service. Then the merchant could just pass a token the the card provider and end card data flying around the Internet, or being stored at a milliion different locations. Who knows how to securly store card data better than the card compaines?

  Unfortunately, the credit card companies are treating this just like they did their own customers many years ago. They shortened the duration between the time their bill gets mailed and the payment is due, thereby increasing their late fee revenue by 30%. They will never offer services to small compaines to help them address PCI because this is really just a money game. They are making tons of money issuing large fines and don’t want to loose that easy revenue. Providing a storage service would solve the problem, but that means they have to actually work for the money.

  Come on Visa, MasterCard, Discover, and American Express! Do the the right thing and HELP all these small companies that are making you a lot of money!!!

Trackbacks

• Forcing Software for PCI &hellip on May 6th, 2008 at 12:10 pm

  [...] Check out the rest of the post here: Forcing Software for PCI Compliance [...]

• PCI Blog - Compliance Dem&hellip on May 7th, 2008 at 8:33 pm

  [...] The Merchant Account Blog covered this yesterday.  Read their post and the comments they left.  We need to get to the bottom of this. [...]

• The Merchant Account Blog&hellip on June 25th, 2008 at 2:12 pm

  [...] some companies feel the need to charge yearly, monthly, daily, peak-season, miscellaneous, PCI compliance, and other fees just for using their [...]

• The Merchant Account Blog&hellip on November 20th, 2008 at 5:12 pm

  [...] that processors are passing down to their customers. A few months ago several processors started adding monthly PCI compliance fees to their customer’s bill. We’ll, the PCI fees are getting a lot [...]

   Leave a Comment   

Name Required

Email Required

Website

Comment

Comment Policy - Do Not Post:

1. Spam!
2. Blatant self-promotion!
3. Any email address or phone number!

Comments that do not meet these guidelines will not be visible on this website. All comments are moderated before they are visible on this website.

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Trackback this post  |  Subscribe to the comments via RSS Feed