I ran into a situation recently and wanted to voice my disgust over it.
I have a friend that runs a side business with their spouse and, of course, takes credit cards for payment. They signed up with a processor and obtained a logon to the processor’s Web site for processing card transactions. A couple of months ago, he called me because he had gotten a letter from his processor saying that they needed to be PCI compliant. He called me to find out exactly what PCI compliant meant. So, I listened to how his business operated and told him to fill out and file an SAQ A with the processor since the processor gave them no guidance.
They filed the SAQ A with the processor and then got a call from the processor asking for certification of the SAQ by a QSA. The processor explained that if they did not have a QSA, the processor would charge them $185 to have a QSA certify their SAQ. So, I get a second call from my friend asking about this latest twist of events. I explained to them that having a QSA review and certify an SAQ is not a PCI requirement. As a matter of fact, the filing of an SAQ by a Level 4 merchant is recommended, but not required by the card brands.
So, now I have a call with this card processor who is demanding that my friend pay them $185 to obtain a certificate from a QSAC certifying that he is PCI compliant. I speak with a customer service supervisor who explains to me that their company requires that all merchants they process are required to work with one of their recommended QSACs or any QSAC of their choosing.
I asked them to direct me to the PCI DSS or any PCI requirement that requires a QSAC to sign off on a Level 4 merchant’s SAQ. The supervisor stated that there was no PCI SSC requirement for this; it was their Firm’s requirement. They then listed off a number of recognized QSACs that could provide such a certificate for my friend. I was shocked at the number of big QSACs that this person listed off and was surprised that some of these QSACs would be willing partners in this organization’s PCI compliance program. Unfortunately, a couple of the QSACs this person named did not surprise me as I have always questioned their motives in the PCI compliance arena.
When I asked the supervisor if I could provide a PCI Attestation Of Compliance (AOC) as my friend’s proof of compliance with the PCI DSS, I was told that an AOC was not acceptable and that as an QSAC, my firm would be required to provide a certificate. When I asked what the certificate would look like, I got an indignant answer that as a QSAC; I would already have that information. I found this extremely interesting, since no such “certificate” has ever been defined by the PCI SSC. And near as I can tell, these “certificates” would not be worth the paper they are printed on. And if shown to any of the card brands, would likely be laughed at as “proof” of anyone’s’ “compliance” with the PCI standards.
Needless to say, this conversation did not go well nor did it last much longer.
But this conversation brings up an issue with the PCI compliance program that has existed from day one. How do you keep the program relevant to merchants and service providers when you have nonsense like this going on? These sorts of actions by organizations just add fuel to the fire for critics to use as another argument as to why the PCI compliance programs are pointless and organizations should not bother with complying with any of the PCI standards.
Another problem this situation points out is how uneducated merchants are to the PCI compliance programs and processes. Even though everything about these programs is documented on the PCI SSC Web site, there are vendors and service providers that abuse their position with these organizations and knowledge of the PCI compliance programs and processes all for their financial benefit.
I have submitted a question to the PCI SSC regarding this situation and hope to have an answer from them in the next few weeks as to whether it is legal or not. I also intend to bring this situation up at the Community Meeting as well. In my view, this situation is highly questionable and in my very humble opinion the processor should be forced through some sort of remediation program just like the QSACs face.
PCI Guru 
Have you ever heard of the company “PCI Smart”?
No, I have not heard of PCI Smart.
Hi, Thanks for all the information and I think what the answer will be, but would like to know what you think?
We have POS RMS application connect by USB to Chip/PIN terminal which is processing transactions.
POS RMS application never sees the PAN information, it is just sending to terminal information about the amount which needs to be settled and receives information from the terminal if transaction was accepted or declined by the gateway.
What I understand that PAN information is encrypted on the terminal and never exists on the PC or local LAN in un-encrypted form. Encrypted data flows trough local LAN and out to the Internet.
Since Internet is public, do I need to treat my local LAN as in scope? ( information is already encrypted ).
Is RMS PC interfacing with terminal in scope?, it never sees PAN or PIN.
I would say , PC is in cope since can be used to control the terminal.
LAN is in scope since PC sites on it.
Thanks for the comment.
Lysy,
First, you need to prove that the cardholder data (CHD) or sensitive authentication data (SAD) that the card terminal or point of interaction (POI) encounters is truly encrypted at the POI and cannot be intercepted at the POS PC. This can be done using Wireshark and it’s USB packet capture capability on a PC in your POS Testing Lab. The packets you capture should contain jibberish if the POI is encrypting the CHD/SAD. This testing will also prove that the POS PC is only sending the dollar amount of the transaction and receiving the approval/decline.
Another thing you need to confirm is that only your transaction processor or gateway can decrypt the data stream.
Once you have proven that the data stream from the POI is encrypted and that your organization cannot decrypt that data stream, then you can state that the rest of your network, the POS PC and the Internet are all out of scope for PCI compliance.
Make sure you document all of this effort so that you can present this to your acquiring bank to get their approval for PCI scope reduction on your POS environment.
It is a big scam.
It’s basically a bunch of bankers (card companies) getting together and making a bunch of arbitrary rules to let customers use their plastic. Then you need to sign up for a scanning service which is exorbitantly priced for what is essentially a (formerly free) Nessus scan, but you can only buy this from QSA’s (i.e. the bankers’ friends) and you can’t be compliant without it. All the while, there’s no real security assessment of your platform and all these scanning services ignore the big bold red font on the homepage to download the entire database and you’ve got the option to add some tacky advertisement (whoops, I meant badge) for your scanning service to your site.
As a QSA, I can tell you that I’m certainly NOT any banker’s “friend”. Nor would a lot of my banking clients consider me their “friend”.
I’m not sure who you are using to do your assessment that makes you believe that there is “no real security assessment of your platform”. All of my clients feel like they’ve been through the ringer when I wrap up their PCI assessment. That said, there is a PCI “check the box” assessment and then there is a PCI security assessment. They are two very different things. I’m terribly sorry that you have only encountered the check box approach.
Just quit all that! Not worth it! Boycott them. Just use Paypal (even that I have my opinion on Paypal’s shadiness as well). The ideal situation would be to be an excellent merchant whom customers could trust to pay with good ole cash. We need to get back to using all cash.
How about a class action suit against Security Metrics and First Data to get back all fees, charges and penalties from day one? For all customers.
Just like the insurance charges that amex refunded after they were sued.
I’d LOVE to get my money back from Security Metrics. I fell for their scam and they charged my credit card for a couple of years until I cancelled it and filled out the compliance form myself. Is it still required with the chips?
Even with the implementation of EMV (aka Chip cards), you still need to go through some form of assessment for your bank.
I know this topic is a bit old but I just had my first experience of talking with Trustwave and thought i would share….
Someone I am doing some compliance work with has an online shop run wholly externally by a third party. I said that they need to prove they are PCI compliant as you have contracted them to run the shop. (the company i’m working for has other payment mechanisms so they are completing SAQ D anyway.)
A few weeks later a Trustwave PCI Compliance certificate gets emailed to me saying the online shop hosting company is compliant with SAQ C-VT – obviously the wrong form. I phoned Trustwave, and it was the least useful thing I have ever done. I asked what the process was of confirming the certificate provided…no proper answer. Eventually I was told that “it seemed like the online shop company had ticked the wrong boxes and filled in the wrong questionnaire”.
Brilliant!
Are their compliance certificates actually worth anything?
I’m having to phone the online company now to ask them to phone Trustwave to sort it (which they probably won’t do), as Trustwave wouldn’t do anything off their own back even though they had signed off on it.
So even though I’ve told them that this certificate is complete gibberish, they won’t revoke it or contact the company to ask them to resubmit!
Annoying.
Rant over. 🙂
This is a HUGE pet peeve of mine. See my posts on this subject. Bottom line: They aren’t worth the bits (digital) and paper (if they are printed). You must obtain an Attestation Of Compliance (AOC).
https://pciguru.wordpress.com/2012/02/29/pci-dss-compliance-certificates/
https://pciguru.wordpress.com/2014/10/06/pci-compliance-certificates-rear-their-ugly-head-again/
I decided to DUMP FirstData, to dump my merchant account with them and only accept Paypal, Bank Wire Trabsfers and Cash, with Cash method as preferrence. Also I accept Western Union cash transfers and some cheques. I no longer accept the sharks such as Visa, MC etc. because they have become too greedy and too dishonest. I am calling for a Worldwide Boycott of credit card industry!
Just to be clear, by accepting PayPal, you indirectly support the card brands.
Yes, I know… 🙂 and i agree with you… let’s just accept cash.
I’ve been a one-person business and merchant for a couple decades. First I signed up with Cardservice International (now FirstData) and I had to become PCI Compliant using Security Metrics, which was impossible and they (SM) would never explain anything not hel me in any way. All they did were they demanded the compliance, but the compliance to me was impossible, because I could not understand all those bird languages and formulas that they were sending to me and they did not refer me to any company who would explain it all to me or even would do the full compliance to me. I was told by someone online that to fully comply, I would have to spend at least US$100,000 (cost of a moderate house) and for me, who was selling $2000-$4000 per month gross and making just about $1000 per month was impossible. So, for many years, Cardservice Internationanal – FirstData SCAMMED me for many PCI non-compliance fees that way, by maki it IMPOSSIBLE for me to comply. It is exactly the same if the police stops you on the road while you are driving 50 mph and fines you for speeding 50 miles over the speed limit! Exactly the same scam! It is impossible to drive slower than 0 mph! Then, CardService International / FirstData changed their PCI compliance partner (in scam) to PCIRAPECOMPLY.CON I apologise if I misspelled, again PCIRapidComply,com and asked me that I completed the application through pcirapidcomply.com. I tried to do it, but every time I try to do it the website would ask me to login or to register. It would not allow mew to register as a new user (!!) because it kept stating that I was an EXISTING USER, yet when I entered all the correct data to sign in, it would say there’s been a problem and you will receive a new username within 7 to 10 business days! That is how long to wait for a username!!! Even that would have been fine, but even after 2 months I received nothing and I emaled the FirstData support, but never received a reply on that one! So I emailed them again and again and tried to login or register on that nasty PCIrabidcomply.con or PCIrapidcomply.com but same problem again and again and when I called FirstData they told me same and I never received my username or the fix and never was able to even SIG IN to the damn website to even BEGIN the PCI Compliance process!!! I believe this is all done INTENTIONALLY and FirstData needs a CLASS ACTION LAWSUIT badly! Take a look at some of the correspondence from FirstData (who keep on changing their company name, to confuse people, i.e. Cardservice Intl., a.ak. FirstData, a.k.a. Ignite Payments, a.k.a. PCIRapidComply, etc.)):
“In order to resolve the noncompliancy issue you will need to complete a security assessment as required by the Payment Card Industry Security Standards Council. This can be done by visiting http://www.pcirapidcomply.com. This is a free service provided by Ignite Payments LLC to assist with the security assessment.”
Then, when trying to sign in or log in to PCIRapidComply,com website to begin the PCI complication process, I am given the following red font message above the sign up or sign in form:
“”We apologize for the inconvenience. We are unable to locate your merchant record in our database. The information you provided has been sent to the support team to be added to PCI Rapid Comply. The general timeframe to have the information uploaded and ready for use in PCI Rapid Comply is 7-10 business days. An email will be sent to you notifying you when your information is ready for access.”
I did this TWICE, over a month ago, so far no email no action followed, nothing what so ever. I just did the same procedure all over again today, 26-DEC-2014.
COMMENT: They “are unable to locate my merchant record”, yet they are able to charge me exorbitant fees on my merchant record!? Right!? To REMOVE the exorbitant fees they can’t find my merchant record, but to CHARGE it, they find it very easily!?
Please join me in the CLASS ACTION ANTITRUST LITIGATION LAWSUIT against FirstData or let me join yours. Let’s get all those many years of those unfair PCI Comply Scam fees back.
Many thanks for leaving that message. I too find I am riddled with confusion and overwhelmed at the terminology used in these SAQs. I have been constantly researching as how to complete the 84 or so pages. They want retailers to outsource to third parties to do the work on SAQ’s more revenue for whom. Interesting when I first initiated new terminal I read the small print saw how to be compliant free of charge. This only worked on one occassion since then I have been blocked or ignored trying to stay compliant without incurring costs. I also watched a video on Lloyds cardnet email. It stated that small businesses like yourself and I only had to do the AOC Attestion of Compliance. What do you think?
If you are a Level 4 merchant, the card brands only “recommend” doing the SAQ. But all require the submission of an Attestation of Compliance (AOC) to the acquiring bank.
I quit FirstData (Cardservice International) and am only using Paypal to accept credit cards plus I accept cash payments. FirstData have employees in management who would libel their own customers and that is unacceptable.
So, next scam . . . . in November 2013, our firm received a letter from BankCard USA Merchant Services to start the PCI compliance through PCI Rapid Comply. I contacted BankCard USA and told them I was not going to take credit cards anymore if I have to pay $9.30 per month for being compliant as we don’t deal with credit cards all that often. My rep assured me that I would not be charged. I completed the application through pcirapidcomply.com (or at least so I thought) and for the next two months I was charged the $9.30 compliance charge. I contacted BankCard USA and told them my rep said I would not be charged. They credited my account $18.60. The next month, they charge me $19.95 per month noncompliance charge and continue to do so every month. I contact BankCard USA and they state our firm is not compliant. WHAT? I contact FirstData Rapid Comply and before I can finish explaining to the customer service rep that I completed the form to be compliant, she states, “A lot of people don’t see that they need to sign the form to become compliant. I can see you completed the questionnaire, but you didn’t sign.” In order to complete the bloody thing you have to log back in and click another box to sign. Even though it states you have completed the questionnaire. What the heck????? I believe they do that purposefully so that you are not compliant and they get their noncompliance fees every blasted month. What a bunch of BS. You try to provide your clients with a perk only to get screwed with all the fees and charges and “what they didn’t tell ya” percentages. ARGH!
Yes, a lot of processors are charging non-compliance fees for their merchants because of the workload that non-compliance puts on the acquirer/processor. The card brands require that the acquiring banks/processors track who is non-compliant and then follow up with those organizations to ensure they are working on becoming compliant and when. A lot of financial institutions are unwilling to absorb the cost of tracking non-compliance, so they recover some or all of those costs through their non-compliance fees.
In the case of the Rapid Comply process, yes it does say that you completed the survey. However, it then states that the survey needs to be signed. The problem comes from the fact that on most monitors, the demand for the signature occurs below the survey completed message and does not appear on the screen unless the user scrolls down the screen which, of course, most people do not. As a result, a lot of people do not sign the form. You would think that First Data would fix this problem, but it was still doing this a couple of months ago.
On the compliance fee, I’m encountering very few processors trying to collect those. The original driver was the PCI compliance program management for the card brands. However, if an organization is compliant, the only thing the financial institution has to do is record that and move on to the next organization. As more and more processors dropped the compliant fee it became impossible for those still try to collect the fee to keep their customer base.
First Data is the one with ripoff PCI compliance fees and they are creating new and new fees. Please advise which credit card processor is best and is not charging PCI complication fees?
I do not track processors and their fees, so I have no advice to give you. If you want a new processor, then part of your selection process should be to ask them about PCI compliance fees as well as any other fees they charge and when.
I have had very poor service from Security Metrics via Global Payments who our car processing is with – I have even written to Brad Caudwell the CEO and not had a reply. Global Payments are no better – I write to a manager there but apparently she is too busy to reply …
here are my letters:
7 February 2014
XXXXXXXXXXXXXXX
Global Payments
XXXXXXXXXXXXXXX
Leicester
Dear XXXXXXXX
Merchant ref 000000
I refer to my previous letter.
Please find my letter that I have just sent to XXXXXXXXX at Security Metrics. It really sums up the poor service and inconsistent approach to this matter. The cynic in me thinks that this whole system that you guys have come up with is purely a way of extacting cash from small businesses. It serves no other purpose. If the matter was that important then surely extra charges are an improper way of resolving it and making customers compliant ?
The most fustrating part of all though is that on Tuesday I was told by Security Metrics that we could do exactly was I asked for in my orginal call which was made in response to the renewal letter. This was made in a timely fashion with the correct intent. What a waste of time this has been for everyone and its difficult to see it other than a revenue raiser for you – I respectfully request refund of the charges you have taken that are simply not jusitifed on this basis.
HERE IS MY LETTER TO SECURITY METRICS
XXXXXXXXXXXXXXXX
Security Metrics
XXXXXXXXXXXX
XXXXXXXXXXXX
Northampton
Dear XXXXXXXXX
I write to you as I understand you are the top man at Security Metrics. I think its important that when a guy like you grows a business such as Security Metrics that you are aware of how your customers see the service that you provide. I run a small business, single handed, and also have 17 years previous experience in Retail Banking for HSBC having run a small branch and dealt with all manner of custom in the past. I would suggest that I have an appreciation of PCI and what it is setting out to achieve moreso than most of your customers.
Its been a miserable torrid time sorting this out and frankly I don’t have the quantity of time available to me that this renewal has sapped. What should be a simple process is laced with petty bureaucracy & complexity which achieves little other than a £50 per month fine for me and other businesses that have failed – in my opinion.
Last year I completed a questionnaire with the aid of your staff which made my business compliant. The document was very poorly worded using jargon that the layman simply cannot understand and also posing questions that are frankly irrelevant to a small business with 1 or 2 employees – in other words the backbone of independent retailers in the UK. It became apparent when talking to your staff , and they actively encouraged, for all the ‘yes’ boxes to be ticked in order to achieve compliance. This October I was sent a letter which invited renewal. I got straight on the phone to confirm that THERE ARE NO CHANGES to our business. That’s right no changes that will effect our compliance status that is because like many thousands of businesses we don’t need to change – we tick along quite nicely thank you and have no need whatsoever to complicate the day to day running of our enterprise. At this point your staff advised that renewal would not be possible in this way and frankly this made me angry.
Another form, the same as the first one, was sent (why it could not be sent with a detailed renewal letter and guidance I don’t know) and I duly completed it where I could and marked certain questions as ‘not applicable’ to my business because they are not ! Now I did not realise the form went to the US – It seemed to take an eternity and then came back to me as I had not completed it to your satisfaction – your staff tried to contact me but of course they call during the working day when I am dealing with my customers and earning money making it impossible to have a meaningnful conversation of the duration required (25 minutes in the case of the conversation I had Monday 3/2 to achieve my compliance). I then tried to call back but there seems to be no record of this. I also sent another completed form answering all the questions back to you subsequent to the last phone call. I then assumed I was compliant until I was checking my billing in late January and discovered that Global Payments were scamming me for and extra £50. Now I have taken the matter up with them. On Tuesday 28 January it was agreed that they would get you guys to call me at 16.55 that afternoon to resolve the matter. I stayed until 17.15 but no call. In the end I called you Monday 3 February and had that 25 minute conversation, filled another form in with your man guiding me (or telling me to tick every box – listen to the call) expecting to send it off to you.
Imagine my fustration when someone called XXXXXXX called the next afternoon – he said he was responding to me (it would appear this was the call offered for the previous week at 16.55 by Global Payments) and that he could renew the compliance on the phone ! WHICH IS WHAT I BLOODY WELL ASKED FOR IN OCTOBER.
Now XXXXXXX informs me that your system has changed and you can now do this since January – so why was I not informed given the fact I was uncompliant at that point and paying out £50 a month ??
He also was unaware of my call into you the previous day – now I thought you were a small outfit but looking at your website you are not – doesn’t say much for your internal communication and record keeping now does it XXXXXX ?? XXXXXXX also said I need not return the forms I had wasted 25 minutes on the day before. Now the funniest thing is that I asked him for his full name – I always do this – I am not being funny but given the poor service from SM so far and the fact that one hand does not know what the other one is doing its nice to have a name – its also professional and businesslike but please have a listen to the phone call and hear what the guy said ! it’s a joke.
So where do we go from here ?
I want to suggest that next year you send out a form with all the responses you have already preprinted for people like me to just sign and return – job done simple for us and simple for you. As I said our compliance status cannot change overnight which is what your current ‘system’ says is happening. You need to understand that its impossible to be compliant one day and then not the next here in the real world. However if what XXXXXXX says is true then just phone up and job done in 2 minutes on the phone and everyone is happy. I appreciate that you have clients who use computers and electronic systems and whose businesses are growing and changing annually but there are thousands of us out there who are not in that situation and you need a simple, quick and efficent process in place. Also what is the point of your UK address ?? I might just as well send the stuff direct.
Finally I hold you and your organisation responsible for the penalty charges that I have incurred – its daylight robbery and you should be ashamed of yourselves. Its corporate greed & I hope you are pleased with the way you run your business and how people like me perceive you.
I’m sorry about your experience with your payment processor and its security provider. This is an unfortunate side effect of the PCI compliance process.
The card brands (Visa, MasterCard, American Express, Discover and JCB) push their payment processors and financial institutions for reports on the compliance of their merchants. The card brands are ruthless with the financial institutions if they cannot produce meaningful reports. Those institutions in turn contract with organizations like Security Metrics, Trustwave and the like to run and manage their PCI compliance tracking programs. The disconnect comes because even though your business is a customer of the processor or financial institution, the compliance program manager is under the gun to produce statistics. If that is not bad enough, the card brands change the rules in response to new attack tactics thus making some business processes legitimate and turning other processes illegitimate.
I’m not justifying their actions, just trying to give you the background for understanding. Obviously there are better ways to go about this.
I don’t think I will ever accept it is reasonable for them to charge for PCI DSS. The are a supplier of a service, for which they charge already. If they cant make it secure within the charges on the transactions they should give up.
Imagine a kitchen knife company requiring all its customers to send in an annual compliance statement, confirming that they keep it safe and have not allowed anyone to take it and stab someone!
It must be to make money otherwise they would make it easier, and it could be easier – we could all improve their forms in no time.
To be fair First Direct do make it easy online, I was with Global Payments before, and although Security Metrics never charged me, it was complex to comply.
I still come back to the fee – they need to cover this in their transaction fees, not in add-ons. Then we could compare rates and go with the best company.
You all might find this interesting, http://www.bbb.org/utah/business-reviews/credit-cards-protection-service/securitymetrics-in-orem-ut-22008052/complaints — from Utah’s BBB, “Complaint: … I’ve asked our bank, our merchant services and the Colorado Attorney Generals office if I will be fined for not using their service and everyone says it’s a sales pitch.”
The first time I encountered PCI DSS I thought it was unreasonable for small businesses. Card providers have always promoted themselves as the safe easy payment solution – “they take all the risks.” Now after many years they are not so comfortable with their original promises.
Last year while doing our compliance I was bombarded with offers to buy PCI DSS training and thought, “here we go again,” In 3 years time we will all be required to spend a fortune to maintain personal certification, just so we can fill in our form, which predominantly says no, no, no, no, no etc etc to 99% of the risks.
It is literally an outrage that they can all sit together, come up with a rule, then later devise a money making scam to make us pay for their problem.
At the top level the card providers need to enforce down the chain that the middlemen cannot make up their own rules about requiring the merchants to have QSA certification when a self assessment is acceptable for the standard.
In fact this happens in many industries, Health & Safety that sort of thing. The middlemen come up with their own company’s rule, which magically requires you to pay for a service you dont need to meet a standard. I think Trading Standards Authorities should look a all of these practices.
According to my Merchant Processor, First Data, Security Metrics was the company they used to use to verify our compliance, but that is no longer the case. They then directed me to logon to their website where I can fill out the forms and run the scans myself free of charge. No need to re up my subscription with SM. For some reason I was never notified because my email address was not on file with my merchant processor.
First data have been charging me £50 a month, from 01/05/2012 last year until 12/09/2013, for non compliance. It adds up to £900, they have never emailed or phoned, now i am compliant they will not refund my money, anyone know how i can get my money back.
Unfortunately, you will not get your money back. What First Data is doing is charging you a fee for your non-compliance which is contractually allowed under your merchant agreement. Until you filed whatever SAQ or a ROC with First Data indicating your compliance with the PCI DSS, they were charging you for your non-compliance with the PCI DSS. The reason for those charges is to cover the cost of all of the paperwork you caused them to have to file with the card brands.
A lot of processors around the world are charging such non-compliance fees as well as charging a PCI compliance program fee to fund the management efforts they are required to provide for the card brands in regards to tracking and reporting merchant and service provider PCI compliance.
I’m sorry you incurred these fees, but as a merchant, you should be well aware that there is no free lunch in the world.
Hi all
Does anyone have a link to where the free on-line Q&A for PCI complaince is
Thanks
There is a “forum of sorts” on LinkedIn. The SPSP Forum is closed, but there is still a lot of good advice there. There is a link to the Forum in my About page and I also believe it has a link on the right-hand side of my blog.
First data is compliance.firstdatams.com
I am an artist who signed a 3-year contract with a credit card processor. This involves a $7/month fee and now a yearly 75$ PCI compliance fee, which they say is required by the “credit card company.” I also have to go online (I’m not sure if this is annually or quarterly) to get compliant.
First and foremost, though there may be legitimate reasons for PCI compliance, I can’t help but feel it is just another way for the credit card companies to rake in millions in fees. Call me cynical, but . . . when we look at the behavior of these large companies–not to mention banks and other financial institutions, we certainly have reason to be cynical.
I no longer use this card paymant service, since I have to rent or purchase a card swiper, which I only need infrequently, so I have decided to go with Square or GoPayment for credit card purchases. I’ll just have to eat it on the fees for two more years. Live and learn.
Though I agree in concept to the idea behind PCI compliance, I have some serious questions about how it’s being implemented. First, I believe that the largest and most damaging breaches of credit card security have been with the “back-room” card processing companies, where breaches affect tens of millions of card holders. However, I doubt that these companies have to be PCI compliant or if they get charged fees when these breaches happen.
PCI then, seems to be focusing on the front end, where there may be some breaches, but I doubt if they are to the extent that we see with the processing companies.
Finally, I am a very small vendor, with my sales in the dozens or hundreds a month at best, not in the thousands or millions. I also only swipe cards, but have no way to collect the information, and therefore, pose little threat to card security. Why then do I have to answer dozens of questions that don’t apply to me, or have to pay such a heafty fee.
The problem I have with these “new wave” card processing solutions is how they are being presented to small merchants like yourself. Before Square changed their reader, when a small merchant read their Web site it appeared that the solution was PCI compliant. However, for those of us “in the business,” we knew that the PCI compliance representations were only related to Square’s back office and authorization processes and NOT to their reader on your smartphone/tablet. That is what bothered me the most because it put small merchants unknowingly at risk if they lost their device.
That has now supposedly changed and the reader now encrypts cardholder data so that the smartphone/tablet cannot read it, but there is still risk. The largest risk that people do not realize is that if the reader fails to read the magnetic stripe and the cardholder data is manually keyed into the device, the device will likely remember that information until it is wiped out weeks or, more likely, months down the road. Granted, you shouldn’t have to manually key in a customer’s data, but if you do, you are putting that data at risk. Now add in laws such as those in California regarding notification of people that could be possibly at risk, plus if the device is harvested and the card numbers used, the penalties and fines that would likely be assessed and you can see how that could put you out of business in a hurry.
It is a scandalous rip-off by our banking industry to cover us for their own greed.
I got a good one! I get charged $150 a year for being PCI compliant. Have to take the test every year and get no certificate or any thing else except the charge! My processor tells me they don’t charge that. The charge comes from Security Metrics. And I sure the H.. not on any compliance list I can find.
SCAM!
I was told basically the same thing. I went to a site Security Metrics and took the survey, passed and was given a certificate to copy. For the past year Security Metrics has been telling me the q&a I took was no longer valid and I needed to take the updated one. My Processor said I was compliant so I think Security Metrics is a scam. They just want you to pay for the upgraded version which isn’t required. I wonder how many got sucked into paying this needless fee? You can take the q n a on line free. It takes about 15 min and is a bunch of bull. You could tell them what they wanted to hear and pass. No follow ups or proof your doing it by their standards. I recommended you take the test once for free, download the certificate and your compliant Listen to no one trying to sell you an upgraded system, it’s bull.
Would love to talk to you more about this. We see it all the time from many processors. The bottom line is that PCI is a profit center for these guys to make up for shrinking margins. The last thing they want or care about is the compliance status or security of their merchants, it is all about how much can they charge the merchant. Would like to do a podcast on this if you are up for it, contact me
Since the PCI compliance program is essentially an unfunded mandate from the card brands on the banks and processors, I don’t have a problem with processors charging their merchants a nominal “filing fee” or “PCI compliance fee” for managing their PCI compliance program. These organizations have to track the progress of their non-compliant merchants, review ROCs and SAQs, as well as report information back to the card brands, so recovering some of their costs should be expected.
However, for a processor to come up with $185 and then also demanding that a QSA sign off on the SAQ is just not right. These sorts of processors usually have arrangements with a few QSACs for handling these sign offs. And there is usually the requisite arrangement of spiffing the processor for every merchant that gets the QSAC to sign off on their SAQ, so the processor gets their fee as well as a spiff. But this is the first one I’ve run across that points their merchants at the PCI SSC Web site to find a QSAC. As a QSAC, I have issues being associated, even indirectly, with such an organization and what merchants would likely perceive as a scam. These organizations have to know that a QSA is also going to charge for signing off on the SAQ, just further infuriating the merchants. It just makes everyone look slimy and not above board. That is why, in my very humble opinion, this sort of practice must stop.
So as a merchant, what do you suggest I do moving forward? My “compliance” is about to expire, should I shop a new merchant processor company, or do I suck it up and pay it? Do all of the processors require this type of “certification”? Help! Time is of the essence, I am receiving phone calls and emails daily from Security Metrics!
I would find a new provider. Barring that, I would “suck it up” and pay the money grubbing … Well, you get my drift.
No, not all processors require certification, whatever you mean by that. If you mean PCI compliance with an SAQ that proves that compliance, then yes, they all require that. But special certificates and paying money to be “certified”, that is BS and is NOT required by the PCI SSC or card brands.
I see a few issues here really…
1) shame on the processor who has clearly taken advantage of the PCI standards lack of specific guidance for the purpose of making a bigger profit. They sound incredibly shadey and I wouldn’t want to do business with them or any of the QSAs that are on their approved list (as they should know it’s wrong too). The PCI SSC, I believe, has left some things undefined or open to the processor/aquierer/QSA to decide because there is no one fix for every merchant… the systems are different and they way they need to be handled is different. They haven’t given that right of power so that it can be abused for personal gain.
2) the PCI standards, unfortunately, have opened a shadey door that’s all about lining pockets with an extra profit. I think it started out with good intentions… yes – a lot of merchants needed better security. But merchants weren’t the only ones. They shouldn’t be required to dish out the amount of money that is required to be compliant. Compliance isn’t security and unfortunately compliance, in many cases, can cost more than simply being secure. Either because of required systems/applications or because of processor or QSAs that require un-needed certifications/applications/network changes/etc. I agree that we need better security – there is a real threat out there. But we need better security all the way around. With everyone being responsible and held accountable for their portion – not dumping all the blame on the merchants. This isn’t a one way street and the issues aren’t entirely the fault of the merchant. In fact, had better care been taken up the chain – the merchants wouldn’t have been able to create the problems they have. They should care for protecting their customer’s privacy, if for nothing more than their reputation and success… without that – even with the PCI requirements, all they’re going to do is check the box regardless of it being true or not and deal with a breach if and when it happens.
3) the PCI SSC and, ultimately, the card brands have opened this window for shadey business – they should be able to lock it down as much as possible. What – a processor is manipulating the system and forcing merchants to pay for something we don’t require? Well then they should be taking action against the processor – take away their rights, increase their costs, something – anything! They shouldn’t just turn a blind eye and say “well it’s their decision to manipulate our program to their own profit – not our problem”
As PIN Head mentioned – this really should be a matter of everyone actually working together to better the system and protect cardholder data… it shouldn’t be everyone working to line their pockets at the expense of the merchant who essentially has no say. Everyone isn’t working together – they’re working individually and still not toward the common good.
I had this same conversation with the PCI SSC last year. Their answer:
Many of the Processors are using QSA to help them get their merchants complaint. Many do not have the knowledge or the bandwith to handle the large endeavor it takes to get all these entities to validate compliance.
It is a business decision who they force their merchant to deal with or any fees they charge. This is out of the scope of PCI. Only their processor can tell you want SAQ they expect to receive from a merchant and or how they receive it.
Unfortunately you are at the merchant processors mercy.
I was not happy with the answer but that is the way it is.
The issue really stems from the PCICo written standard. The requirement for Level 4 merchants is that validation is at the discretion of the acquirer. With that said, the acquirer then has the power to require (read: demand) a certificate to validate compliance. In many cases, the managing person at the acquirer isn’t qualified to assess the SAQs — its merely a measure to protect themselves.
I understand that from the merchant’s perspective it seems unfair, but who is protecting the acquirers in this mess?
?
I think your friend have to do is changing of service provider/processor. Period.
FIs, PSPs and Merchants, all of them, have the responsability to comply with PCI-DSS.
PSPs and FIs are responsibles that all of their merchants are compliant, but I think it is not good marketing strategy to force merchants to pay for nothing.
What FIs and PSPs have to do is provide tools and procedures to the merchants so they are not worried about PCI compliance. An example of this could be adopting EMV standard. Ok, that is only a solution for Card-Present transactions but you can create more solutions for CNP scenarios.
My friend is already getting a new processor because of a lot of other issues with his original processor.
I have been in this industry long before the PCI SSC have existed and have watched the evolution of this program grow. The program is a sham, scam, whatever you want to call it, by the card brands and big issuers. It still amazes me that the card brands and issuers have convinced everyone that the merchants, acquirers and service providers have to front the cost of protecting cardholder “sensitive” data. Data that is stored in the clear on the payment product to begin with. The card itself is issued non-compliant to PCI DSS. Issuers store and transmit clear text magnetic stripe data using a distributed database known as the credit and debit card. I have several such clear text magnetic stripe data records in my wallet everyday. How anyone can think you can protect data that starts out in the clear is beyond me. And that it is the responsibility of the merchant to do so is a joke. I am all in favor of everyone working together to protect the data as we move on to a new, more secure payment product, but I don’t see that move happening anytime soon in the States.
One fix that I have suggested since the formation of the PCI SSC is that the council have a mediation body that resolve issues like this one. They created the requirements and then have no method to resolve issues based on interpretation of these requirements. The answer of “the QSAs are trained” is not the solution.
BTW, has Citibank been fined for their data breach yet?
Everyone in the payment stream has a responsibility to protect cardholder data, including the cardholder.
Merchants and service providers got sucked in because they were doing a poor job (if they were doing any job at all) of protecting cardholder data that they knowingly or unknowingly were retaining in their computer systems. Most had no idea that their computerized point-of-sale (POS) systems were storing credit card numbers because the software vendors weren’t telling them. Financial institutions are now starting to get sucked into the compliance process as we are now getting a lot of calls for PCI assessments from FIs.
Unfortunately, there is a lot of infrastructure in place using the current credit card configuration in the US which is what keeps Chip and PIN out of the US. However, Chip and PIN only works for stopping face-to-face fraud not the other frauds. And then there is the fact that the mag stripe and chips do nothing to protect that data. As I have stated before, what will be a game changer will be the advent of single use transaction codes generated at the time of the transaction. American Express did this with eCommerce transactions a number of years ago, however they pulled the plug on their trial and I never heard the reason why. In its present configuration, Chip and PIN could go a long way in securing online transactions, but no one has ever stepped forward to create a standard API that would make this possible.
We will probably never know if Citibank is fined and by what amount. Bankers like that sort of thing to be kept private.
If the issuing banks were charged back every time they authorized fraudulent transactions instead of declining them, then the problem of having to secure data that is inherently not secure (it’s imprinted on the front of the #$@$ card!) would get solved pretty much tomorrow, and the need for PCI DSS on the merchant end would become much less important as the processing network actually became smart enough to detect and prevent fraud.
It is 2011. If someone pays with a credit card, I should be able to call an API that transforms that to a unique hash and be able to issue authorizations, captures, and credits against that hash until the end of time or until the customer or bank revokes that permission. And it should be a standard. Some gateways kind of sort of do this–but it’s proprietary to the gateway, usually expensive (CyberSource), limited to a single auth & capture (AuthorizeNet), and not visible to the banks or the consumer (negating its use for tracking or for limiting damage in a data breach).
If I could stop storing card numbers tomorrow I would, but doing so means (1) lost conversions due to customers having to re-type card data on subsequent purchases; (2) lost fraud prevention tools since banks won’t do a manual AVS lookup without the full card number, which is useful if someone e-mails a corrected billing address; and (3) difficulty processing backorders and long term refunds.
> American Express did this with eCommerce transactions a number of years ago, however they pulled the plug on their trial and I never heard the reason why.
My guess would be that it had usability problems. Verified by Visa, for example, is a usability fiasco (“don’t ever give out your banking information–except you should do it right after this sketchy redirect!”) and is largely ignored by ecommerce merchants as a result–it’s better to take the risk than the loss in conversions. The banks have no incentive to make it better. Since the merchant is the one who’s often footing the bill when it comes to ecommerce fraud, what incentive is there for the banks or the networks to actually prevent it? To actually make AVS reliable?
Since the banks and the processors are so chummy, I think the only way that any of this would change is if some of the major retailers–I’m thinking Amazon, Walmart, and Target–got together and created an independent network that sidesteps the existing PCI, one that actually solved these problems.
My two cents. Great post.
Actually, there was nothing wrong with merchants keeping the card holder data like they were in the past because there was no value to the data. Two things changes our from under merchants and acquirers that have caused this data, that issuers at one time even printed in booklets, to become extremely valuable. 1) The increase in the use of this payment product for online (web) transactions with only the PAN data that was being printed on receipts and is embossed on the front of the card and 2) the use of PIN based debit as a signature based product, unfortunately referred to as “offline debit”. This product allows signature based and card not present based transaction to directly debit the card holder’s checking account. And when this occurred the banks did not accept the fact that fraud was possible so card holders were directly affected by fraud. It was not that big of concern when fraud hit a credit card because the card holder was not directly affected financially. Just charge the transaction back to the issuer.
Then comes the PIN debit attacks on top of this from skimming and all that where the banks can now claim “well, the transaction was PIN based so it HAD to be you Mr. Customer.” This wakes up the card holders and then the brands and issuers can point to the merchants and acquirers.
When you say “Everyone in the payment stream has a responsibility to protect cardholder data, including the cardholder” then everyone should work together. If we all worked together then we, and when I say we I mean the brands, issuers and the PCI SSC, would not immediately come out and throw PCI-DSS complaint merchants or acquirers under the bus. If everyone was really supposed to work together to protect this data then we would all together to improve the system.