First Data PCI Compliance fee
First Data announced a new PCI Compliance fee for all Tier 4 merchants. This bulletin will or already has been place on merchant statements. Basically, they require all merchants to complete a self assessment survey and all merchants will be subject to a $79 annual compliance fee; non-compliance will be result in additional fees of $19.95 per month.
If you have not already completed one, please go to PCI Security Standards Council, download the
appropriate PCI SSC Self-Assessment Questionnaire, and immediately complete. All level 4 merchants should be in full compliance per the terms of accepting Visa, MasterCard etc. The PCI Data Security Standard Self-Assessment Questionnaire is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS).
This fee will affect over 100,000 merchants because First Data is a huge partner with Independent Service Organizations (ISO’s). Even though you may have a merchant agreement with an ISO, such as First Payment Systems, the agreement will clearly state it is underwritten by First Data or another entity.
First Data Selects SecurityMetrics for PCI Initiative (download press release PDF)
Tags: first data, PCI compliance
June 11th, 2009 at 5:36 pm
[...] credit cards, but this business segment has been slow to comply. Recently, First Data enacted a new PCI Compliance fee for all level 4 merchants (small businesses) because most companies continue to fail when their [...]
June 18th, 2009 at 9:38 am
I just applied with few merchant account providers – I want to compare offers.
I noticed some wish to charge me PCI compliance fees. In such cases will I still be obliged to fill the level4 merchant form?
June 18th, 2009 at 1:22 pm
Two things- First, a huge number of merchant accounts process through First Data, through the ISO Merchant Service Provider network. So applying to numerous providers could still get you a whole bunch using First Data. ANY Tier 4 merchant who has an agreement that is underwritten by First Data is subject to the compliance fees. Some merchant service providers will pass on the fees, some will absorb them. In my business, we pass on fees as this keeps it much cleaner for us to give them “pass through cost” pricing or “cost plus pricing”. If we did not pass on the fees, then they would be buried into costs somewhere else. So the point is, we provide transparency to all costs.
Second, the level 4 merchant form should be completed- period. It’s for your protection too. Send it to whomever is charging you a compliance fee. Unless you are paying another party for PCI Compliance, you will not likely get out of this fee. I have not seen the First Data self-assessment form, but it is likely a duplicate of the PCI Security Standards Council self assessment survey, http://www.pcisecuritystandards.org. Paying a fee doesn’t make you compliant. You have to be compliant, and now attest to it via the survey.
Remember, the whole reason this came about is because Tier 4 merchants were NOT filling out the form and this was easily discovered when evaluating those who had data breaches or other fraud issues. So now someone will be checking it, and there is a cost associated with having someone read all these papers.
July 6th, 2009 at 1:17 pm
why is that my merchant provider is charging me $129 and this site says its a $79 annual charge?
July 6th, 2009 at 4:05 pm
The ISO I work has an agreement with First Data and $79 is the actual cost we are passing along to merchants. Maybe your merchant provider is marking it up, or maybe First Data is charging them a different rate. There is no way for me to know.
July 23rd, 2009 at 6:27 pm
Will my assessment be covered by the $79 annual fee? Or does Security Metrix bill me also?
July 23rd, 2009 at 7:04 pm
amended response: First, answering generically, I cannot address individual vendor billing decisions. Any merchant who has a PCI Compliance certification from a 3rd party should immediately request that they be allowed to send that in and get a fee waiver. It’s worth a shot.
July 23rd, 2009 at 7:24 pm
Many merchants who have some relationship with First Data, either as the underwriter or something else, will receive an offer for PCI Compliance certification from Security Metrics, whom First Data selected to help their merchants become compliant.
Again, while I cannot comment on other vendor billing decisions, let’s say that you received that notice from my ISO. Then the answer is yes. You will pay only one fee, not a fee to both parties.
Please follow up with your billing experiences and subscribe to our feed for future notices. related article First Data Merchants Attain Record PCI Compliance
July 23rd, 2009 at 8:02 pm
Thank you for your response. This helps me.
Just so I understand completely before I register with Secure Metrics, by entering my First Data merchant account number, I will be identified and not billed anything from Secure Metrics. This makes the First Data fee represent value that I did not understand before.
August 12th, 2009 at 1:52 pm
Sorry for the delayed review of your note. Have you already done this? Entered your account number and seen what happens?
I did get some clarification on prior questions:
1. The Security Metrics fee is automatically put on your merchant account and monies are collected via your standard billing up. In most cases this is once per month via ACH transfer when merchant fees are collected.
2. The fee can vary by merchant services provider. I have now seen other merchants with First Data underwriting that also have a $129 fee as Donna received. My ISO negotiated rate is $79, however it seems we have a special deal as we haven’t heard of others getting this. As a wholesaler to mid-size businesses our volume and client portfolio quality MAY have been a factor, but I don’t have that particular information.
3. There are no exceptions to the fee, regardless of any other service you may already use. That is what our agreement states, and I’m confident this is across the board to all merchant services providers.
August 12th, 2009 at 2:06 pm
[...] article: First Data PCI DSS Compliance Fee for Tier 4 merchants addthis_url = [...]
September 7th, 2009 at 2:52 pm
Hello,
I work for an MSP and our processors are charging PCI fees. I have been told that Heartland is not charging any PCI fees…compliant or otherwise. Can anyone confirm this and if so how can Visa/MC allow a company with the largest data breach in history to gain a competitive advantage from their “mistake”?
Thank you!
September 8th, 2009 at 12:48 pm
This was a First Data initiative to bring merchants in compliance, planned long before the Heartland data breach was announced. They are really two different things- you’ve identified a specific processor problem (heartland) and the other is a merchant problem. Since the data breach was internal it is irrelevant to the PCI Compliance of Heartland merchants.
That being said, are Heartland customers more likely to be PCI Compliant and thus don’t need a program like First Data created? The National Retail Federation 2009 PCI Compliance survey results for small businesses, a target market of Heartland, show they are largely non-compliant. In my opinion, Heartland’s PR such as the CEO speaking this summer to the NTF about the future of security for online payments, doesn’t match up with the reality of their security efforts.
Does Heartland have a competitive edge? “Mr. merchant, you’re required to be PCI Compliant. Because most merchants fail to follow the standards required, it’s being enforced with a minimal annual fee. If you are not in compliance and there is a data breach, I assure you, you cannot afford the losses. The average cost of a suspected data breach is $8000-20000 for a Level 4 merchant and for an actual breach averages $36,000. Would you rather be with a processor with a track record of data breaches or one who goes the extra mile to protect their merchants, by insuring that they protect themselves? Isn’t it worth — dollars per year for PCI certification and Safe Harbor protection? “
September 14th, 2009 at 1:39 am
Does PCI Compliance allow you to save the track data until you process the card.
For example someone gives you a card to process in the beginning of next month, can the track data be stored until then?
October 5th, 2009 at 1:17 am
I don’t understand why it is up to the merchant to prove compliance when the equipment and system is processed by the merchant service. Doesn’t the merchant already pay for a compliant system to start with? Isn’t the merchant to expect that the system they are paying for is compliant? How is my wireless swiper non compliant?
October 28th, 2009 at 2:43 pm
Compliance is more than just equipment. For example, I visited a rental retail office where the clerk copies the front and back of the credit card and then puts in a file. This violates multiple compliance requirements.
Additionally, not all equipment is compliant. Many companies have older equipment that is no longer compliant but their processor hasn’t contacted them to let them know it’s no longer compliant. Some buy theirs on the internet and their processor let’s them program it even though it’s non-compliant.
I have no idea if your wireless solution is compliant or not. I suggest you go to the manufacturer web site and read the specs.
November 2nd, 2009 at 11:21 pm
JL - your reply was off topic so I posted as a new item with your answer. Does PCI Compliance allow you to save the track data until you process the card.
March 10th, 2010 at 2:49 am
If the ISO has its own program and gets the PCI self assesment form completed, do they need to file a copy directly with first data or just keep it on file?
March 10th, 2010 at 3:44 am
First Data has retained Security Metrics for all level 4 merchants. I’m not aware of any exceptions. This means that all merchants under a First Data ISO will also by extension be required to comply with Security Metrics request.
The PCI compliance paperwork is sent automatically to all merchants by Security Metrics.
The paperwork goes to the same person/address as the merchant statement.
The merchant communicates directly with Security Metrics.
The merchant receives a certification record from Security Metrics when paperwork is done and approved. In my experience, a phone call will be initiated by Security Metrics to the merchant if there is ecommerce involved, before final approval.
Security Metrics informs First Data when a merchant fails compliance or fails to complete paperwork. This generates a billing process per the merchant notification letter. I’m assuming they also send a record of date of compliance to First Data.
Future compliance requirements, whether quarterly or annually, are continued with Security Metrics.
The ISO is not notified when the paperwork is sent to merchants.
The ISO is not notified when a merchant completes their paperwork.
I don’t know the steps for notification to ISO’s for merchant non-compliance or if merchants simply get billed without any notification to merchants.
So to answer your question, if they have an agreement to operation outside the norm, then they should know the answer to the question. Do you receive statements in the mail now? I’d be leery of anyone filing on your behalf, without you actually completing any paperwork yourself.
The information provided herein should not be relied upon for 100% accuracy. Merchants should contact their ISO directly.
May 10th, 2010 at 12:19 pm
I own one small shop storefront, yet pay 3% fees + fixed 20 cents + various fees for special rewards cards + statements fees. Now they’ve added $100 PCI compliance fees globally due to the prevalence of fraud abuse. If they can’t implement a system with the money they are generating from all those fees that is secure, why am I paying them an additional fee for their service? Here is what I am going to do, I am going to charge all my customers 5% more for credit card use, as a CC tax. I am going to accept and encourage checks and/or cash. As a merchant, my only way to fight is by adopting this approach, VISA and MC should ultimately be hurt by this decision; but unfortunately, customers continue to blindly do business by credit until they see it impact their wallets visibly. I hope others join my campaign.
May 10th, 2010 at 7:03 pm
HI Jh2,
I understand your frustration. But I’m going to object to your statement “they’ve added $100 PCI compliance fees globally due to the prevalence of fraud abuse”. Compliance fees are being forced because (7?) years of attempting to get merchants to become PCI Compliant on their own failed. Roughly 50% remained non-compliant in very large spot check studies. What does that mean? Merchants openly storing credit card numbers, and all kinds of other careless activities that exposed consumers cards. Not everyone, but roughly HALF.
As to your CC tax, I suggest you read your Visa and MasterCard merchant manual. If you don’t have one, visit our ’sticky’ pages for links and you can download.
Lastly, customers have drastically reduced credit and have converted to debit- roughly 50%. Debit is cheaper than credit. If debit is not evident on your statement, maybe you are getting a really raw deal. I don’t personally work with very small accounts, but if you want to fill out our form here http://3dmerchant.com/contact/account-analysis.php I’ll have someone else review your situation for you.