Comments on: First Data PCI Compliance fee

By: cspeedy

cspeedy — Tue, 29 Nov 2011 15:24:11 +0000

HI Dana
I haven’t heard of a $189 fee or an increase yet from anyone else.
Something is amiss with what’s going on in your account.
When you pay your processor the fee, you login to Security Metrics and should not be charged another fee. It sounds like you’ve signed up at SM and are paying them. Therefore, the certification is not getting back to FD. When there is a mix up, contact your processor.
$19.99 is because the processor does not have a record of the completed certification.

If you’re switching, contact me for options. We can help.

By: Brains auto center

Brains auto center — Tue, 11 Oct 2011 03:01:30 +0000

First data charged me also.what a scam,I am changing services and also going to complaining to SAMs wholesale where I got the services threw

By: POFFMERCHANT

POFFMERCHANT — Thu, 15 Sep 2011 17:26:09 +0000

I became compliant and First Data still kept charging the fee for months. I had to relentlessly call them and security matrix to find out why this was happening. Each person I spoke with came up with a different reason for the continued charges, which has assured me this charge has been bogus since the day it started. First Data agreed to refund me a portion of this fee, which is a total admission on their part the fees for PCI are bogus.

By: daniel

daniel — Thu, 01 Sep 2011 21:17:51 +0000

We run a small hair salon that does maybe $15k worth of visa transactions annually. We have a dial up card reader, no internet connection, and store none of our records digitally. Our receipts are handled by me and nobody else. Yet I have to pay 129 bucks a year to fill out a three-line survey on a website, none of the questions from which apply to my business.

What a ripoff.

By: 3D Merchant admin

3D Merchant admin — Thu, 01 Sep 2011 02:23:30 +0000

Sorry for your troubles- make sure you work with them until you pass to avoid monthly fees as well as liability should you have a data breach. As a last resort, if you can’t resolve that, contact Christine here at 3D Merchant Services for an alternative processor that does not use Security Metrics, though I strongly recommend everyone use a 3rd party service for protection. It’s an added layer you can use in your defense should you ever be accused of a data breach.

My scan passed yet again on Friday. Here’s the email excerpt- Site Certification Pass- Your scan (ID———09) has completed for the following Site Certification:
IP Address: ————-3
Domain Name: —————–
SCID: —————-

Congratulations, your scan passed! If ‘——————’ is a publicly accessible web site, you may now place the SecurityMetrics Site Certified logo on that specific website. This logo helps increase consumer confidence and spending. See your latest passing scan results and select the “Add Site Certified Logo Instructions” link.

If you are participating in the merchant compliance program, you should log into your account and ensure that you have completed all your compliance requirements.

By: Patrick M

Patrick M — Tue, 30 Aug 2011 04:48:21 +0000

Security Metrics provided us with a list of TCP and UDP ports on our corporate IP address that are in violation and therefore, resulted in a fine. However, we had several scans done and could not find any such ports that yield a security risk. Additionally, we could not find any ports open that they reported. Further more, gateways simply do not provide any open ports in the first place. After I talked with them directly and finally got someone who even knew what a port is, they told me that the scan may not be accurate and that it is generally an approximation because they could not do anything but ping a customers Gateway to a LAN. What a scam! I too will assist in any class action lawsuit as well. meanwhile Visa MC is cashing in on us.

By: Lady T

Lady T — Thu, 30 Jun 2011 01:02:05 +0000

I’m waiting for that class action lawsuit as well.

I understand completely why the credit card companies and processors want merchants to understand compliance and BE compliant, but the SAQ’s are available for free online from the PCI Security Standards Council. This is the body that makes all the rules, and according to them a complete SAQ is all that is needed from small businesses like ours that don’t process cc information online and have no POS.

I got hoodwinked by an acquirer who said we could use the SAQ for self-attestation of compliance and then denied it once we established an account. They sent me to Security Metrics where I completed the EXACT SAME questionnaire online – then they denied that too! In the meantime they’re charging us $19.95 a month PLUS they slapped a $99 annual compliance fee on us, and for what? What are we paying for? The privilege of filling out a questionnaire that I can (and did!) get for free elsewhere?

The credit card companies themselves (Visa, MC, etc) insist that acquirers validate their customer’s compliance, but they have nothing to do with the fees. It’s totally arbitrary, just another way to make a profit. Most customers won’t even look that closely at their statements, and those that do will be made to believe this is some kind of law and/or the fees are simply handed down from the top, but they’re simply not. There needs to be some regulation of this industry, to protect businesses from predatory practices like this.

I’m told there’s a government agency in the works to do just that. Maybe help is on the way? Let’s hope.

By: Semyon

Semyon — Fri, 17 Jun 2011 04:32:10 +0000

After reading all the posts and the Administrator’s answers – I am coming to conclusion that PCI compliance fee is bogus and outright rip-off. What is the purpose of paying $129 (usually – because $79 is almost always marked up) if the only transactions the merchant does are through dummy terminal? No names and full CC numbers are printed. What expenses does Merchant Account Provider endure in this case? None.
There are two problems with CC transaction security, thou:
1) The Merchant Account Providers are having direct access to merchant’s bank account. They will do anything to debit those accounts justifying it by any reasons and ridiculous fees.
2) 99% of every online fraud are caused by insiders ( they can be Merchant Account Provider’s employees as well) – so paying any fees to the same people who potentially can do the most harm is a double nonsense.

By: 3D Merchant admin

3D Merchant admin — Wed, 15 Jun 2011 15:14:53 +0000

Hi Dana- $19.95 is charged when they don’t receive your certification. If they are reported correctly on time you will never see this fee. Something is amiss. If you pay First Data $99, you should not also pay Security Metrics $25. PCI Compliance is not just for online. If you read the appropriate worksheet at pcisecuritystandards.org, you choose the one right for your company. Plenty of data breaches occur in retail and business environments that are not online.
If you want an offline solution with no annual PCI fee give me a call. A word of warning though- it’s a small fee for the protection it provides if you maintain proper procedures year round, not just on the day you complete a form.

By: Dana

Dana — Sun, 12 Jun 2011 19:33:39 +0000

We pay Security Metrics a $25 fee every year to become “certified,” although we do not do any financial business online, and do not store any financial data. We use a dumb swipe terminal. They are supposed to be contacting First Data to tell them we are certified.

We intermittently get charged $19.99 PCI Security Fee by First Data during the year even though we are certified. In addition, at the end of the year, First Data charged us an additional $99 PCI Security Fee.

We are going to switch clearinghouses. This is ridiculous! As an aside, I fail to see why the merchants should have to pay ongoing fees for security problems that MasterCard and VISA are having.