First Data PCI Compliance fee

First Data announced a new PCI Compliance fee for all Tier 4 merchants. This bulletin will or already has been placed on merchant statements. Basically, they require all merchants to complete a self assessment survey and all merchants will be subject to a $79 annual compliance fee; non-compliance, including failing to respond, results in additional fees of $19.95 per month.

If you have not already completed one, please go to PCI Security Standards Council, download the
appropriate PCI SSC Self-Assessment Questionnaire, and immediately complete. All level 4 merchants should be in full compliance per the terms of accepting Visa, MasterCard etc. The PCI Data Security Standard Self-Assessment Questionnaire is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS).

This fee will affect over 100,000 merchants because First Data is a huge partner with Independent Service Organizations (ISO’s). Even though you may have a merchant agreement with an ISO, such as First Payment Systems, the agreement will clearly state it is underwritten by First Data or another entity.

First Data Selects Security Metrics for PCI Initiative (download press release PDF)

Related Article Non-receipt of PCI Validation fee

54 thoughts on “First Data PCI Compliance fee

  1. Two things- First, a huge number of merchant accounts process through First Data, through the ISO Merchant Service Provider network. So applying to numerous providers could still get you a whole bunch using First Data. ANY Tier 4 merchant who has an agreement that is underwritten by First Data is subject to the compliance fees. Some merchant service providers will pass on the fees, some will absorb them. In my business, we pass on fees as this keeps it much cleaner for us to give them “pass through cost” pricing or “cost plus pricing”. If we did not pass on the fees, then they would be buried into costs somewhere else. So the point is, we provide transparency to all costs.

    Second, the level 4 merchant form should be completed- period. It’s for your protection too. Send it to whomever is charging you a compliance fee. Unless you are paying another party for PCI Compliance, you will not likely get out of this fee. I have not seen the First Data self-assessment form, but it is likely a duplicate of the PCI Security Standards Council self assessment survey, Paying a fee doesn’t make you compliant. You have to be compliant, and now attest to it via the survey.

    Remember, the whole reason this came about is because Tier 4 merchants were NOT filling out the form and this was easily discovered when evaluating those who had data breaches or other fraud issues. So now someone will be checking it, and there is a cost associated with having someone read all these papers.

  2. I just applied with few merchant account providers. I want to compare offers.
    I noticed some wish to charge me PCI compliance fees. In such cases will I still be obliged to fill the level4 merchant form?

  3. The ISO I work with has an agreement with First Data and $79 is the actual cost we are passing along to merchants. Maybe your merchant provider is marking it up, or maybe First Data is charging them a different rate. There is no way for me to know.

  4. amended response: First, answering generically, I cannot address individual vendor billing decisions. Any merchant who has a PCI Compliance certification from a 3rd party should immediately request that they be allowed to send that in and get a fee waiver. It’s worth a shot.

  5. Many merchants who have some relationship with First Data, either as the underwriter or something else, will receive an offer for PCI Compliance certification from Security Metrics, whom First Data selected to help their merchants become compliant.

    Again, while I cannot comment on other vendor billing decisions, let’s say that you received that notice from my ISO. Then the answer is yes. You will pay only one fee, not a fee to both parties.

    Please follow up with your billing experiences and subscribe to our feed for future notices. related article First Data Merchants Attain Record PCI Compliance

  6. Thank you for your response. This helps me.
    Just so I understand completely before I register with Secure Metrics, by entering my First Data merchant account number, I will be identified and not billed anything from Secure Metrics. This makes the First Data fee represent value that I did not understand before.

  7. Sorry for the delayed review of your note. Have you already done this? Entered your account number and seen what happens?

    I did get some clarification on prior questions:
    1. The Security Metrics fee is automatically charged on your merchant account and monies are collected via your standard billing, usually via ACH transfer. The PCI fee will assessed at the same time as when merchant fees are collected.
    2. The fee can vary by merchant services provider. I have now seen other merchants with First Data underwriting that also have a $129 fee as Donna received. My ISO negotiated rate is $79, however it seems we have a special deal as we haven’t heard of others getting this. As a wholesaler to mid-size businesses our volume and client portfolio quality MAY have been a factor, but I don’t have that particular information.
    3. There are no exceptions to the fee, regardless of any other service you may already use. That is what our agreement states, and I’m confident this is across the board to all merchant services providers.

  8. Hello,
    I work for an MSP and our processors are charging PCI fees. I have been told that Heartland is not charging any PCI fees…compliant or otherwise. Can anyone confirm this and if so how can Visa/MC allow a company with the largest data breach in history to gain a competitive advantage from their “mistake”?
    Thank you!

  9. This was a First Data initiative to bring merchants in compliance, planned long before the Heartland data breach was announced. They are really two different things- you’ve identified a specific processor problem (heartland) and the other is a merchant problem. Since the data breach was internal it is irrelevant to the PCI Compliance of Heartland merchants.

    That being said, are Heartland customers more likely to be PCI Compliant and thus don’t need a program like First Data created? The National Retail Federation 2009 PCI Compliance survey results for small businesses, a target market of Heartland, show they are largely non-compliant. In my opinion, Heartland’s PR such as the CEO speaking this summer to the NTF about the future of security for online payments, doesn’t match up with the reality of their security efforts.

    Does Heartland have a competitive edge? “Mr. merchant, you’re required to be PCI Compliant. Because most merchants fail to follow the standards required, it’s being enforced with a minimal annual fee. If you are not in compliance and there is a data breach, I assure you, you cannot afford the losses. The average cost of a suspected data breach is $8000-20000 for a Level 4 merchant and for an actual breach averages $36,000. Would you rather be with a processor with a track record of data breaches or one who goes the extra mile to protect their merchants, by insuring that they protect themselves? Isn’t it worth — dollars per year for PCI certification and Safe Harbor protection? “

  10. Does PCI Compliance allow you to save the track data until you process the card.

    For example someone gives you a card to process in the beginning of next month, can the track data be stored until then?

  11. I don’t understand why it is up to the merchant to prove compliance when the equipment and system is processed by the merchant service. Doesn’t the merchant already pay for a compliant system to start with? Isn’t the merchant to expect that the system they are paying for is compliant? How is my wireless swiper non compliant?

  12. Compliance is more than just equipment. For example, I visited a rental retail office where the clerk copies the front and back of the credit card and then puts in a file. This violates multiple compliance requirements.

    Additionally, not all equipment is compliant. Many companies have older equipment that is no longer compliant but their processor hasn’t contacted them to let them know it’s no longer compliant. Some buy theirs on the internet and their processor let’s them program it even though it’s non-compliant.

    I have no idea if your wireless solution is compliant or not. I suggest you go to the manufacturer web site and read the specs.

  13. If the ISO has its own program and gets the PCI self assesment form completed, do they need to file a copy directly with first data or just keep it on file?

  14. First Data has retained Security Metrics for all level 4 merchants. I’m not aware of any exceptions. This means that all merchants under a First Data ISO will also by extension be required to comply with Security Metrics request.
    The PCI compliance paperwork is sent automatically to all merchants by Security Metrics.
    The paperwork goes to the same person/address as the merchant statement.
    The merchant communicates directly with Security Metrics.
    The merchant receives a certification record from Security Metrics when paperwork is done and approved. In my experience, a phone call will be initiated by Security Metrics to the merchant if there is ecommerce involved, before final approval.
    Security Metrics informs First Data when a merchant fails compliance or fails to complete paperwork. This generates a billing process per the merchant notification letter. I’m assuming they also send a record of date of compliance to First Data.
    Future compliance requirements, whether quarterly or annually, are continued with Security Metrics.
    The ISO is not notified when the paperwork is sent to merchants.
    The ISO is not notified when a merchant completes their paperwork.
    I don’t know the steps for notification to ISO’s for merchant non-compliance or if merchants simply get billed without any notification to merchants.

    So to answer your question, if they have an agreement to operation outside the norm, then they should know the answer to the question. Do you receive statements in the mail now? I’d be leery of anyone filing on your behalf, without you actually completing any paperwork yourself.
    The information provided herein should not be relied upon for 100% accuracy. Merchants should contact their ISO directly.

  15. I own one small shop storefront, yet pay 3% fees + fixed 20 cents + various fees for special rewards cards + statements fees. Now they’ve added $100 PCI compliance fees globally due to the prevalence of fraud abuse. If they can’t implement a system with the money they are generating from all those fees that is secure, why am I paying them an additional fee for their service? Here is what I am going to do, I am going to charge all my customers 5% more for credit card use, as a CC tax. I am going to accept and encourage checks and/or cash. As a merchant, my only way to fight is by adopting this approach, VISA and MC should ultimately be hurt by this decision; but unfortunately, customers continue to blindly do business by credit until they see it impact their wallets visibly. I hope others join my campaign.

  16. HI Jh2,
    I understand your frustration. But I’m going to object to your statement “they’ve added $100 PCI compliance fees globally due to the prevalence of fraud abuse”. Compliance fees are being forced because (7?) years of attempting to get merchants to become PCI Compliant on their own failed. Roughly 50% remained non-compliant in very large spot check studies. What does that mean? Merchants openly storing credit card numbers, and all kinds of other careless activities that exposed consumers cards. Not everyone, but roughly HALF.
    As to your CC tax, I suggest you read your Visa and MasterCard merchant manual. If you don’t have one, visit our ‘sticky’ pages for links and you can download.
    Lastly, customers have drastically reduced credit and have converted to debit- roughly 50%. Debit is cheaper than credit. If debit is not evident on your statement, maybe you are getting a really raw deal. I don’t personally work with very small accounts, but if you want to fill out our form here I’ll have someone else review your situation for you.

  17. This is a junk fee. If you are using a land line terminal you are already PCI compliant without having to do any of the things First Data is requesting you to do. The only time you may not be PCI compliant is if you are using software on a pc.
    Merchants should check with their software dealer to ensure they are using the latest version. They can also verify if the software and version are included on the PCI Security Standards Council’s Validated Payment Application list at

    Don’t let processors bully you into paying this when you have a land line terminal. Heartland Payment Systems is one that I know of that does not charge this junk fee.

  18. DS your response is misinformed. First of all, PCI Compliance is not just having a terminal that is PCI Compliant. For example, what if the merchant accepts orders over the phone, even occasionally. Do they key enter the data directly into the terminal immediately? Or do they write it on a piece of paper? That’s just one example of how problems with compliance can arise.

    How many merchants have never even heard of the PCI Data Security Standard Self-Assessment Questionnaire? That’s the issue. And that’s why First Data is mandating that merchants actually read the document and affirm they have taken all the steps needed for their specific operation to be in compliance. It has nothing to do with landlines or computers. It’s the entire picture of how a merchant accepts credit cards and how they protect card holder data.

    For the record, I’ll repeat it again. I don’t charge this fee. The ISO I work with doesn’t charge the fee. The program is managed by Security Metrics on behalf of First Data.

  19. Compliance!! REALLY?? Anyone with half a brain should know not to write a credit card number down and leave it lay around. I seriously doubt it’s the average small business owner that is causing fraud problems. This is just another way for credit card companies to take advantage of us!
    I am a small business owner and these fees are killing me! I run two companies through the same site so all of my fees are doubled. I was just assessed a $129.00 compliance fee for each company. I already pay an annual fee of $99 per company along with all the fees already attached to processing! I have a year left on my contracts and ,I for one, will be canceling my accounts and no longer accepting credit cards at that time. I’d do it now but I’d have to pay a $600 cancelation fee for each account. RIP OFF!! I hope more small businesses will stop excepting credit cards so you credit card processing companies will suffer the lose that you are causing us to suffer.

  20. I work out of my home and I’m an independent sales rep for a direct selling company. I accept payment cards and process them through the direct selling company’s web portal. Do I have to be PCI Compliant even if my direct selling company is compliant? VISA told me that because I’m accepting the credit cards numbers I am considered a Level 4 merchant and I have to be compliant also. Where does First Data stand on this?

  21. Tina- Let’s address a few of your points.
    No one should leave card numbers lying around. Agreed. Next time you go to a restaurant, doctor, or any store, look a the merchant receipt. You’ll be surprised how many show the full card number.
    Less than half of small businesses were found to be compliant in a survey even after 5 YEARS of asking them to get compliant. Big businesses get the press but small businesses are part of the problem too and should not be excused from following safe procedures.
    Annual fees, compliance fees and Cancellation fees- buyer beware. By shopping around you can minimize this. Probably the most important thing I tell businesses is to BUY your own equipment. High Cancellation fees are usually reflective of giving a merchant free equipment upfront. There’s a price to pay for that somewhere along the line.

    Please don’t put me in the “you credit card processing companies” bucket of people to get angry at.
    I am not a processor. I’m an agent for processors. I place merchants with the optimum solution for their business.
    I’m also a small business owner for 10 years outside of I train the staff at my ecommerce company to understand how important it is to capture funds immediately upon shipping as this can affect our costs, a difference of .5% in most cases due to heavy b2b clients using corporate cards. I understand your pains. I also know that accepting credit cards boosts company sales. It’s rare type a business that can thrive without accepting them.

    Next time you need a merchant account, find one without an annual maintenance fee and negotiate a zero cancellation fee, assuming you have your own equipment.

  22. I have a small hair salon. All 7 stylists have their own merchant account so their transactions are deposited directly into their own accounts. My ISO just charged every account $99 to be PCI compliant. I questioned this fee and got a ridiculously combative response from my ISO, Merchant Direct Inc. who represents FirstData. I then called FirstData and they told me if I switched to direct cc processing through them, they would waive all my “child accounts” fees. I quickly went to Security Metrics website, called customer service and am in the process of filling out the SAQ forms for all of my stylists. I also found out that Security Metrics do not charge $79 per account which the ISOs claim is a pass through fee. Based on volume, number of accounts, First Data is charged a blanket fee for PCI Compliance and can charge whatever it wants to its merchants. Then it “hoses its merchants”!

  23. HI Mark- Let me clarify a few things.
    First Data contracted with Security Metrics for PCI Compliance. Let’s say for example, there are 500,000 level 4 accounts under this agreement. They’re paying a bulk fee to SM for all 500,000 accounts. First Data has ISO’s. Each ISO has it’s own unique relationship with First Data. First Data makes a deal with each ISO what fee it’s going to charge for each level 4 merchant account to participate in the PCI Compliance program they’ve negotiated with Security Metrics.
    Let’ s say the agreed upon fee is $79.
    First Data charges the ISO $79.
    Security Metrics charges nothing to the merchant. Their relationship is with First Data, on a bulk billing basis.
    The ISO flags the merchant account to ‘pass through’ the $79 fee to the merchant.
    The merchant gets a notice on their merchant statement about the annual fee, then they get billed.

    None of this is in stone. The ISO could charge more– or less. The ISO may have a higher fee than $79 — or less. There are many variables.
    As to the ‘per merchant account’ fee being waived. The ISO is billed PER MERCHANT account, assuming each merchant account has a unique Tax ID number, as in your case. So if the fee is waived, then I can only assume the ISO is making up the fee by charging more for regular merchant services.
    On another note, it’s nice that you are filling out the SAQ’s for your stylists. However, I would require the stylists to read the papers and fill them out and hand to you for input. Why? What have they learned if they never read the papers? Do they ever touch the credit cards? If yes, then they should see the papers. If no because the receptionist ALWAYS does this for them, then your method is probably OK, but I’d give them each a print out and ask them to sign that they read and understand it.

  24. Thank you for the useful information. I misspoke. I actually walk the girls through the process by being on the telephone as they fill out the SAQ form online.

  25. FYI, I am very familiar with this process and FD Security Metrics PCI program.
    First, and this is difficult to confirm. SM sells their service to FD who marks it up and sends it to the ISO
    Typically the ISO marks it up and sends it to the merchant.

    I have seen fees from 49.00 to 150.00 to the merchant.
    I do PCI for some First Data ISOs at a fraction of that cost. Every time it is a battle with FD to let the move to another PCI company. The only explanation for this is that FD is creating revenue.
    In an article by the security lead at FD they said you can use anyone. However your ISO may not let you do that.
    I have heard them say it is a program fee not a PCI fee so if you go somewhere else you still have to pay.

    It is a lot of bs and believe me, we are fighting with everything we have.

  26. HI Greg
    I agree with the bulk of what you wrote up to and including “FD is creating revenue.” After that I can tell you this. The ISO makes a commitment for compliance which First Data is enforcing to a new level. The ISO negotiates a deal for the Security Metrics program, or chooses another outsourced option, or creates something internal, accepting liability and signing off to that effect.

    Most ISO’s simply made a deal with First Data. There were few options at the time this was announced and ISO’s didn’t want to potentially increase their liability . As with all negotiations, volume and other factors are a part of it so ISO’s had different rates.
    Then you have most ISO’s marking up the annual fee, but a few who eat the cost or pass through at their cost. It’s impossible for merchants to know who’s marking up and who’s passing through, though I think it’s safe to say $150 is something being marked up. I think the $19.95/mth for failing to comply is fixed for everyone, but I can’t swear to it.

    This leads to the 2nd part. Can the merchant use Compliance company? Yes and no. NO. Once the ISO agrees to Security Metrics program they’re not going to have merchants sending them reports from any number of other providers that they no nothing about. They would have to perform due diligence for every one of them and depending on how the FD contract is written, they may not be absolved of liability issues if they allow any other parties. The merchant accounts are automatically entered into the SM program when the account is boarded. It’s hard to get off that bus once it’s rolling. YES. As previously reported, the merchant can submit their 3rd party compliance paperwork to Security Metrics and be done with it. Unfortunately, the annual fee still applies.

    For your business, you’ll probably see growth as ISO’s move to the next phase. Finding other PCI Compliance providers that will meet their customers needs at a lower cost. However, at $79 annually, is that really too much to ask? I’m glad I’m not in that business.

  27. We have been with FD for over 10 years. When this PCI compliant issue first came up with the automatic fee being debited from our account and Security Metrics forced upon us, we tried to fight it. I cannot believe that this is not a class action law suit against Free Trade! We should be instructed by our Merchant Processor that we need to be compliant and that if we do not choose a company we will be fined monthly and then let us choose our own.

    We have been dealing with SecurityMetrics for three years and it has been a hassle EVERY quarter! Now, as if it isn’t bad enough that they manage to ‘find’ something every single scan but their web interface isn’t working and we have been battling for over a week trying to rescan after addressing each of the ridiculous problems they believe create a vulnerability. The web keeps showing “processing” and runs for over 48 hours without stopping. Then they have the nerve to send me a reminder to be sure to rescan and become compliant once more. Not to mention, they now have problems with “False Positive” results that they have to address internally. The last quarter that we had a false positive, it took them over 4 weeks to address the issue. I find that interesting knowing that each month that passes, if you are not complaint you are charged an additional fee from FD. Doesn’t anyone else see a conflict of interest here??

    So, now we are over a week and still trying to get the scans done and get back to our “compliant” status. The irony is that we have never had a breech in 20 years of business but this came about because of breeches internally from big companies like Sears and CitiBank and we all have to pay for it.

    It is frustrating at best!

  28. We only use land line equipment/phone, CC data never gets placed on our computers and we do not take Internet orders. We were informed about PCI compliance some time after switching to Suntrust Service Merchant/First Data . in 2009 the charge was $79.00. This year it is $119.75. the charge apparently comes from Suntrust Merchant Account. It took me all morning to find that out. In the end all I could get from them is that “all PCI compliance charges went up”. This was after being told when I renewed compliance that it would remain at $79.00. When asked the current cost of having PCI compliance if using computer/Internet (scanning required), I was given two different prices. One 140.00, one $149.00.

    I’ve watched as merchant prices over the past year have climbed up and up; rather like a dog I knew once that would place his head on your knee and within a half an hour manage to get up into your lap without you noticing. A big dog, too. It’s that the cost of having clients use credit cards is going up and up and up. It has to hit a level somewhere. It can’t go on forever. I try to use checks or cash whenever possible. checks are even better for record keeping than credit cards. It’s not a solution for everyone, more a local merchant type thing; but that’s my mini-solution. Use checks whenever possible. If a record isn’t needed, use cash.

  29. I feel your pain. Thanks for reporting the latest SunTrust info.
    Good news, good news. Federal legislation passed this year will likely have positive implications for merchants in 2011 and beyond. Secondly, it’s imperative merchants, especially larger mrechants, have a solution that manages their interchange qualification. We provide that service while allowing merchants can keep their existing processor.
    Lastly, Tina, I may be able to help your situation- contact me privately. . I don’t know if you can get a refund or not, but you can try if you like what I offer.

  30. I would avoid First Data at all costs. We will be moving all four of our restaurants to a new provider at the end of the month. They tagged us with $139 PCI Compliance for each of our accounts and were rude and unhelpful on the phone. They also added a $10 per month service fee for each account and have been very hard to work with on tech support – which is critical when you have a customer standing there and the machine/network is not working properly.

    They did make it clear that you don’t get anything for the PCI fee. You are 100% responsible for any breach (we just have landline terminals – no POS). So it is really worthless to be PCI compliant. If you are doing the right thing everyday you don’t need to worry about this. If you are PCI compliant and an employee makes a mistake, you are in the same boat as if you didn’t have the PCI compliance.

    Good lesson to negotiate all this ahead of time. I have $1000 worth of headaches dealing with these fees and I think they count on the fact that people will not have the time to fight on the phone for 10 hours.

  31. HI Michael, thank you for your post. First, it is never worthless to be PCI Compliant. Let’s say an employee skimmed some cards which is a big problem in restaurants. If you can show that you were PCI Compliant then you could possibly avoid any fines by the associations since this would boil down to a rogue employee who managed to circumvent your processes somehow. But if you were not compliant, you could have huge liabilities. There is a difference in financial repercussions for data breaches between compliant and non-compliant companies. Lastly, many people think PCI Compliance is only about electronics such as computer POS systems, but it’s not. It starts at the point you accept cards, in this case, the card being handed to an employee. Please check out this page for more PCI info

    Your experiences with First Data are similar to others who’ve posted in the blog. This is why our business is so successful. Our clients have a relationship manager and a support team, in addition to the 24 hotline of the payment processor, whether it’s First Data or someone else. Our red carpet service is the main reason why merchants choose to work with us. I hope you’ll give us an opportunity to serve you too. Christine.

  32. AMENDMENT JANUARY 2010. Now that the First Data- Security Metrics PCI program has been in place a while, there are ISO’s that have moved on to alternative programs due to high customer dissatisfaction. In some cases, there is no fee at all. Existing Merchant Accounts that have the fee will continue with the same going forward. For new merchant accounts, check your contract and ask if there will be a PCI Compliance fee.

  33. yes the credit card merchant bank are scams and they can get away with it, so i was looking at my weekly deposit from ipaymaen/iaccess and i noticed that my Tuesday transactions were not in my deposit, so i called the bank they said that no end of day batch was done, so i said if i wouldn’t of noticed this where would of the money gone, they said the bank doesn’t keep it, it falls off the system and the customers money gets returned. ( like i believe that) i have also 388.00 extra charges on my account between 12 months, how many big company’s do they make a lot of money off. and the Pci plan is a scam to, just cause they cant keep up with their job they want to put it on us, i am going to push to get my money back, also the merchant bank said that my machine had to upgraded and cause of accepting debit cards so they started charging me a fee, i over this company

  34. @ PCI Pete
    As I have indicated my dissatisfaction above while still being forced under contract, I would like to join a class action. It seems that these contracts should be void and unenforceable since the fees were not included under the terms of the original agreement. In addition to being PCI compliant, I do not contribute to the problem by having dial-up card reader and not keeping any credit card numbers.
    For any law firms pursuing this class action, please contact me via email at my website in the contacts page. Thanks.

  35. Although charging more for a credit card transaction is frowned upon by VISA/MC you can however set your price at a certain level to take into consideration the fees charged by V/MC and the processor and then instead offer a “cash discount” to customers paying cash instead of Visa/MC. Bottom line is the merchant has no control over the fees. I think it is a crime that the card issuers and processors charge the merchant for customers to use charge cards when ultimately the charge should go to the customer.

  36. This is bogus. Another way to rip off the small business. They said they wanted to do a security scan on our servers. Like why should we breach our internal security for this. We are cancelling our merchant account and going back to landline merchant services.
    its bogus!

  37. Ok, owning a PCI company I can give you some insight into this from the industry standpoint.
    First Data as a rule says you can have any PCI program you want. If you use Security Metrics program it is supposedly $79.
    Of this FD gets a cut. Many ISOs will mark it up.
    This is not to advertise our company but we charge a fraction of that and report to FD for the ISO who is and who is not compliant. As as result of ISOs jumping ship because of the service problems with SM and FD there is now a change. FD is going to start charging ISOs a fee for billing the PCI fee though FD if they are using a different PCI processor. They want to make it impossible to use anyone but this non-sense 79.00 SM.

    FYI, PCI DSS it self is not a rip-off. I have found many a breach and helped lock down many systems over the last few years.
    The ridiculous fees are a rip off. Visa/MC just say complete the SAQ/scan if required and be compliant. FD is not following the spirit of PCI or offering a fair process for anyone to fulfill the requirement.

  38. We pay Security Metrics a $25 fee every year to become “certified,” although we do not do any financial business online, and do not store any financial data. We use a dumb swipe terminal. They are supposed to be contacting First Data to tell them we are certified.

    We intermittently get charged $19.99 PCI Security Fee by First Data during the year even though we are certified. In addition, at the end of the year, First Data charged us an additional $99 PCI Security Fee.

    We are going to switch clearinghouses. This is ridiculous! As an aside, I fail to see why the merchants should have to pay ongoing fees for security problems that MasterCard and VISA are having.

    • HI Dana
      I haven’t heard of a $189 fee or an increase yet from anyone else.
      Something is amiss with what’s going on in your account.
      When you pay your processor the fee, you login to Security Metrics and should not be charged another fee. It sounds like you’ve signed up at SM and are paying them. Therefore, the certification is not getting back to FD. When there is a mix up, contact your processor.
      $19.99 is because the processor does not have a record of the completed certification.

      If you’re switching, contact me for options. We can help.

  39. Hi Dana- $19.95 is charged when they don’t receive your certification. If they are reported correctly on time you will never see this fee. Something is amiss. If you pay First Data $99, you should not also pay Security Metrics $25. PCI Compliance is not just for online. If you read the appropriate worksheet at, you choose the one right for your company. Plenty of data breaches occur in retail and business environments that are not online.
    If you want an offline solution with no annual PCI fee give me a call. A word of warning though- it’s a small fee for the protection it provides if you maintain proper procedures year round, not just on the day you complete a form.

  40. After reading all the posts and the Administrator’s answers – I am coming to conclusion that PCI compliance fee is bogus and outright rip-off. What is the purpose of paying $129 (usually – because $79 is almost always marked up) if the only transactions the merchant does are through dummy terminal? No names and full CC numbers are printed. What expenses does Merchant Account Provider endure in this case? None.
    There are two problems with CC transaction security, thou:
    1) The Merchant Account Providers are having direct access to merchant’s bank account. They will do anything to debit those accounts justifying it by any reasons and ridiculous fees.
    2) 99% of every online fraud are caused by insiders ( they can be Merchant Account Provider’s employees as well) – so paying any fees to the same people who potentially can do the most harm is a double nonsense.

  41. I’m waiting for that class action lawsuit as well.

    I understand completely why the credit card companies and processors want merchants to understand compliance and BE compliant, but the SAQ’s are available for free online from the PCI Security Standards Council. This is the body that makes all the rules, and according to them a complete SAQ is all that is needed from small businesses like ours that don’t process cc information online and have no POS.

    I got hoodwinked by an acquirer who said we could use the SAQ for self-attestation of compliance and then denied it once we established an account. They sent me to Security Metrics where I completed the EXACT SAME questionnaire online – then they denied that too! In the meantime they’re charging us $19.95 a month PLUS they slapped a $99 annual compliance fee on us, and for what? What are we paying for? The privilege of filling out a questionnaire that I can (and did!) get for free elsewhere?

    The credit card companies themselves (Visa, MC, etc) insist that acquirers validate their customer’s compliance, but they have nothing to do with the fees. It’s totally arbitrary, just another way to make a profit. Most customers won’t even look that closely at their statements, and those that do will be made to believe this is some kind of law and/or the fees are simply handed down from the top, but they’re simply not. There needs to be some regulation of this industry, to protect businesses from predatory practices like this.

    I’m told there’s a government agency in the works to do just that. Maybe help is on the way? Let’s hope.

  42. Security Metrics provided us with a list of TCP and UDP ports on our corporate IP address that are in violation and therefore, resulted in a fine. However, we had several scans done and could not find any such ports that yield a security risk. Additionally, we could not find any ports open that they reported. Further more, gateways simply do not provide any open ports in the first place. After I talked with them directly and finally got someone who even knew what a port is, they told me that the scan may not be accurate and that it is generally an approximation because they could not do anything but ping a customers Gateway to a LAN. What a scam! I too will assist in any class action lawsuit as well. meanwhile Visa MC is cashing in on us.

  43. Sorry for your troubles- make sure you work with them until you pass to avoid monthly fees as well as liability should you have a data breach. As a last resort, if you can’t resolve that, contact Christine here at 3D Merchant Services for an alternative processor that does not use Security Metrics, though I strongly recommend everyone use a 3rd party service for protection. It’s an added layer you can use in your defense should you ever be accused of a data breach.

    My scan passed yet again on Friday. Here’s the email excerpt- Site Certification Pass- Your scan (ID———09) has completed for the following Site Certification:
    IP Address: ————-3
    Domain Name: —————–
    SCID: —————-

    Congratulations, your scan passed! If ‘——————‘ is a publicly accessible web site, you may now place the SecurityMetrics Site Certified logo on that specific website. This logo helps increase consumer confidence and spending. See your latest passing scan results and select the “Add Site Certified Logo Instructions” link.

    If you are participating in the merchant compliance program, you should log into your account and ensure that you have completed all your compliance requirements.

  44. We run a small hair salon that does maybe $15k worth of visa transactions annually. We have a dial up card reader, no internet connection, and store none of our records digitally. Our receipts are handled by me and nobody else. Yet I have to pay 129 bucks a year to fill out a three-line survey on a website, none of the questions from which apply to my business.

    What a ripoff.

  45. I became compliant and First Data still kept charging the fee for months. I had to relentlessly call them and security matrix to find out why this was happening. Each person I spoke with came up with a different reason for the continued charges, which has assured me this charge has been bogus since the day it started. First Data agreed to refund me a portion of this fee, which is a total admission on their part the fees for PCI are bogus.

  46. First data charged me also.what a scam,I am changing services and also going to complaining to SAMs wholesale where I got the services threw

  47. FirstData (Cardservice International) charges me $120 PCI non-compliance fee plus $28 monthly fee, plus they charge me 3,3% qual and 5% non-qual for every transaction plus a million of other fees so I end up paying 7% to 10% on my sales to them. My sales has dipped 80% (most of my sales are gone) plus losing more to the fees and charges, so basically I am almost bankrupt. Those fees and charges are ever increasing without any prior notice. What a SCAM! PCI compliance is yet another ecuse for FirstData, Visa, MC etc. to rip-off the mercahnts with ever increasing number and amount of fees, charges, penalties etc. I’m planning going ALL CASH and boycotting any banks, cards and even checks, cause I had enough of GREED! Please advise an excellent and reasonable card process for online merchants?

Leave a Reply

Your email address will not be published. Required fields are marked *