What Is the PCI Fee on My Merchant Statement?
Demystify the PCI fee on your merchant statement. Grasp its purpose in securing card payments and what it entails for your business.
A PCI fee on a merchant statement is a charge for maintaining the security of payment card transactions. Businesses accepting credit or debit card payments commonly encounter this fee. Its purpose is to safeguard sensitive cardholder information against data breaches and fraud.
The Basis of the PCI Fee
The PCI fee stems from the Payment Card Industry Data Security Standard (PCI DSS). Major credit card brands, including Visa, MasterCard, American Express, Discover, and JCB, collaboratively established this standard. Its objective is to protect cardholder data from theft and fraud by mandating specific security controls.
Compliance with PCI DSS is a requirement for any business or service provider that stores, processes, or transmits cardholder data. The PCI fee often appears on merchant statements as a charge from payment processors or acquiring banks, to help cover costs for facilitating, validating, and ensuring adherence to these security standards.
What the PCI Fee Covers
The PCI fee is not a direct payment to the PCI Security Standards Council, but rather a charge from your payment processor or acquiring bank. It covers services and resources assisting merchants with compliance efforts. It often provides access to tools like self-assessment questionnaires (SAQs) or support in completing these documents.
The fee may also cover services such as vulnerability scanning to identify network security weaknesses. Administrative costs for reporting compliance status to card brands and providing educational materials are also commonly included. Some processors might even bundle basic breach insurance or liability coverage as part of this fee, though exact services vary by provider.
Factors Determining the PCI Fee Amount
The specific amount a business pays for the PCI fee is influenced by several factors. A primary determinant is the business’s PCI compliance level, based on its annual transaction volume. Merchants are categorized into different levels, with Level 1 processing over 6 million transactions annually, Level 2 handling 1 million to 6 million, Level 3 processing 20,000 to 1 million, and Level 4 processing fewer than 20,000 transactions annually. Generally, higher transaction volumes lead to more stringent compliance requirements and potentially higher associated fees due to more rigorous validation processes.
The method of compliance validation also impacts the fee. Businesses with lower transaction volumes often complete a Self-Assessment Questionnaire (SAQ), while larger merchants may require an external audit by a Qualified Security Assessor (QSA). Payment processor services and support can further influence the fee, as some offer more comprehensive assistance or bundled security tools. Some processors impose additional non-compliance fees if a business fails to meet PCI DSS requirements. These fees are distinct from the standard PCI fee and serve as penalties to encourage adherence, ranging from approximately $20 to $60 per month, or even higher in a data breach.