13 replies to this topic

[iLLuSiOnS]

Hi, I have been with 1st national bank and authorize.net for about 2 years now, and it started off well, now they are throwing in charges left and right.

I am now getting charged an additional $120 a year for something called the PCI compliance fee, is anyone else getting these charges or is it just me?

I get charged $18 from my merchant, $8 statement fee plus $.25 for each batch and $.25 for each transaction, and 2.19% for visa and master card and of course the extra $120 a year for the new PCI compliance fee which comes out to $10 a month

Can anyone tell me if I am getting ripped off or not?

Thanks guys ( I am in the US)

[GemRock]

iLLuSiOnS, on Jun 9 2009, 09:07 PM, said:

...the PCI compliance fee...

not heard of this fee here in the UK (as yet). i am always suspect the pci hype is a new way of making money.

Ken

[MyTeeShirtGuy]

iLLuSiOnS, on Jun 9 2009, 04:07 PM, said:

Hi, I have been with 1st national bank and authorize.net for about 2 years now, and it started off well, now they are throwing in charges left and right.

I am now getting charged an additional $120 a year for something called the PCI compliance fee, is anyone else getting these charges or is it just me?

I get charged $18 from my merchant, $8 statement fee plus $.25 for each batch and $.25 for each transaction, and 2.19% for visa and master card and of course the extra $120 a year for the new PCI compliance fee which comes out to $10 a month

Can anyone tell me if I am getting ripped off or not?

Thanks guys ( I am in the US)

Hi, I use 1st Data (Card Services International) I think I am paying $140.00 additional. Basicly Visa, MasterCard, American Express, ect, all want compliance with the Payment Card Industry (PCI) Data Security Standards (DSS). This started about a year ago. They are making the service providers for credit cards have their merchants become Security Compliant so that credit card users do not get ripped off. The money I paid was for a company called Security Mectrics, one of hundreads of companies that are now available to test your web site and IP Host against all kinds of ways hackers get on your site. 1st data used the buying power of all its merchants to get us a cheaper deal. Thats probally what authorize .net is doing. Most of the other Payment services will be doing it as well or get droped from being able to handle the Visa, mastercard ect credit cards. I paid for a company to try an hack my website as well as the IP host. The requirement for PCI DSS compliance is 90 days (every Quarter). But I can scan my site every day, as many rtimes as I want to.

Even though I implemented all the security proceedures for OsCommerce, and for all practical purposes my Cart was secure, my site still failed until I got my IP Host to update and change their configuations.

EXAMPLE: SSL has more then one way to secure logins: This was one of my problems:

Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See http://support.microsoft.com/kb/216482 for instructions on IIS. See http://httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

All I had to do was get my IP Host to turn off the SSL 2.0 and it was corrected. While iot is a pain in the --- and cost me extra money, I now know that my IP Host and my website is protected agains over 4400 different security hacks, and that makes it worth it to me.

[iLLuSiOnS]

not every company I find out charges this fee. Most companies require you to be PCI compliant, but they dont charge you the fee. With my crappy merchant, I am PCI compliant yet they still charge me I will be changing. Thanks

[Sharon_U]

Hi, I'm in the same boat, as I'm also being charged $120 for PCI at the end of this month. My volume of credit card sales is very low, so this cost is killing me. All I need is an IP host scan, since my database is stored "third party," and boom $120.

I've considered canceling my merchant account, but then I dread researching another one (here in the US) just so I can bypass this (not the compliance but the fee) since I'm getting such a good deal with rates, statement fee, etc. By switching, I would incur more/other costs, such as application fee, setup fees, possibly have a contract, etc. I feel it's expensive either way.

I have read both views 1) this is all about hype and making money -and- 2) that we are actually getting a good deal at $120 because it should and can cost more.

If anyone knows a work-around, an alternative solution, or a DIY, I would love to hear it. Thanks.

[burt]

Isn't this just the cost of doing business? Pass the cost onto your customers...

[kuai]

Sharon_U, on 18 September 2009, 14:27, said:

Hi, I'm in the same boat, as I'm also being charged $120 for PCI at the end of this month. My volume of credit card sales is very low, so this cost is killing me. All I need is an IP host scan, since my database is stored "third party," and boom $120.

I've considered canceling my merchant account, but then I dread researching another one (here in the US) just so I can bypass this (not the compliance but the fee) since I'm getting such a good deal with rates, statement fee, etc. By switching, I would incur more/other costs, such as application fee, setup fees, possibly have a contract, etc. I feel it's expensive either way.

I have read both views 1) this is all about hype and making money -and- 2) that we are actually getting a good deal at $120 because it should and can cost more.

If anyone knows a work-around, an alternative solution, or a DIY, I would love to hear it. Thanks.

One word. PayPal. Just a transaction fee and that's it. It doesn't get any cheaper than that. You don't have to be, or worry about PCI compliance. No contract. No setup fees. No hassles. I've been using them since day 1, and don't think I'll ever change.

Kuai

Edited by kuai, 04 November 2009, 22:15.

[eww]

kuai, i'm in the same boat. comfortable where i am (without the headaches and worries of pci) with paypal, but my customers have voiced a high opposition to it.

a large majority of them want to give me their credit card number directly.


so far, i've flat out refused, but it's still in the back of my head about how much business i'm losing. in my opinion, since i'm doing well now - not worth the risk. but i'd sure love to take in that extra business.

i absolutely refuse to deal with any pci crap until it's mandatory for even paypal sellers. nearly a half a mil. fine if you get hacked? what happens to the BUYER if their # is stolen from their email or by them being simply stupid? who gets blamed? us, the merchants.

doesn't seem right. we lose either way.... it seems almost as if (after reading the requirements) it could be easily blamed upon the seller if he's only a few days behind on updates and coincidentally the buyer gets their info lifted and distributed through a hacker network at around the same time.
there isn't much room left for technicalities like this in the rulebook.

yet again (as usual), it all goes off to protect visa and the consumer, leaving the seller with the open pockets.


i often wonder why everyone is so worried about getting pci approved and yet nobody worries about what happens if you get stiffed for being NON-pci compliant????

[kuai]

eww, on 06 November 2009, 10:13, said:

kuai, i'm in the same boat. comfortable where i am (without the headaches and worries of pci) with paypal, but my customers have voiced a high opposition to it.

a large majority of them want to give me their credit card number directly.


so far, i've flat out refused, but it's still in the back of my head about how much business i'm losing. in my opinion, since i'm doing well now - not worth the risk. but i'd sure love to take in that extra business.

i absolutely refuse to deal with any pci crap until it's mandatory for even paypal sellers. nearly a half a mil. fine if you get hacked? what happens to the BUYER if their # is stolen from their email or by them being simply stupid? who gets blamed? us, the merchants.

doesn't seem right. we lose either way.... it seems almost as if (after reading the requirements) it could be easily blamed upon the seller if he's only a few days behind on updates and coincidentally the buyer gets their info lifted and distributed through a hacker network at around the same time.
there isn't much room left for technicalities like this in the rulebook.

yet again (as usual), it all goes off to protect visa and the consumer, leaving the seller with the open pockets.


i often wonder why everyone is so worried about getting pci approved and yet nobody worries about what happens if you get stiffed for being NON-pci compliant????

Hey,
From my understanding, the CC processor needs to be PCI Compliant. You can get a virtual terminal through PayPal for $30 bucks a month. Then, you could take all the phone orders you wanted. I like to do other things besides answering a phone. Very few customers ever call, and I haven't ever had a dispute. I don't want to store any financial info. and never will. I have had a few customers call me, and want me to input their CC info as well. I don't and will not do it, because who would be responsible as you said. The customers account info is all public knowledge anyway. Name, address, phone number? That's in the phone book. And it's easy to find out an email address. What would a hacker do with public information? PayPal doesn't even send the customer the tracking number from the USPS. I asked PayPal why not? They said it was to protect everyone. Fine with me. If I'm losing a little business, so be it. There are several customers to make up for the one that didn't want to use PayPal. If a merchant doesn't process CC, then the merchant shouldn't ever have to be PCI Compliant. If we ever have to be compliant for storing a name, address, or phone number, that's Big Brother in my opinion. Let's all wonder around in the darkness for a few more thousand years.

Just my 2 cents,

Kuai

[Xpajun]

I've found that since PayPal will not process cards unless you open an account with them and store your card details with them my sales have dropped dramatically. Being pci compliant and using real merchant services is a very small price to pay in my opinion.

Edited by Xpajun, 24 November 2009, 11:49.

[kuai]

Xpajun, on 24 November 2009, 11:49, said:

I've found that since PayPal will not process cards unless you open an account with them and store your card details with them my sales have dropped dramatically. Being pci compliant and using real merchant services is a very small price to pay in my opinion.

Website Payments Standard DOES NOT require that your customer have a PayPal account. Instead, when your customers check out, they will be directed to a page that allows them to log into their PayPal account or pay by credit card without having to sign up for a PayPal account.

PayPal Express Checkout does require a PayPal account, but this will automatically be created for the customer upon checkout.

Kuai

Edited by kuai, 24 November 2009, 14:48.

[Xpajun]

kuai, on 24 November 2009, 14:43, said:

Website Payments Standard DOES NOT require that your customer have a PayPal account. Instead, when your customers check out, they will be directed to a page that allows them to log into their PayPal account or pay by credit card without having to sign up for a PayPal account.

PayPal Express Checkout does require a PayPal account, but this will automatically be created for the customer upon checkout.

Kuai

No longer so I'm afraid

Edited by Xpajun, 24 November 2009, 18:04.

[kuai]

Xpajun, on 24 November 2009, 18:03, said:

No longer so I'm afraid

"Customers can check out without a PayPal account

When the "account optional" feature is turned on, customers don't need a PayPal account. They use an alternate checkout and have the option to sign up for a PayPal account afterward. Customers with PayPal accounts still log in to their PayPal accounts to check out.

This feature is available for Buy Now buttons, Donations, and shopping carts."

I copied and pasted this from PayPal's website under Website payment preferences. Things may be different in the U.K., but if it has changed, PayPal hasn't updated their own website. If you have a link about the change, please post it(or email it to me) so I can put the requirement in the welcome email so the customers will know it's a PayPal thing and not me.

Thanks,

Kuai

[Xpajun]

kuai, on 24 November 2009, 19:06, said:

"Customers can check out without a PayPal account

When the "account optional" feature is turned on, customers don't need a PayPal account. They use an alternate checkout and have the option to sign up for a PayPal account afterward. Customers with PayPal accounts still log in to their PayPal accounts to check out.

This feature is available for Buy Now buttons, Donations, and shopping carts."

I copied and pasted this from PayPal's website under Website payment preferences. Things may be different in the U.K., but if it has changed, PayPal hasn't updated their own website. If you have a link about the change, please post it(or email it to me) so I can put the requirement in the welcome email so the customers will know it's a PayPal thing and not me.

Thanks,

Kuai

I've had no notification from PayPal - just did a check on it one day because I was getting a lot of failed orders and found that PayPal were asking my customers to sign up before they would take their card details.

I have found since then I can get a merchant account for 20GBP a month and a lower charge per sale than PayPal. It's now time to shop around - there are always greedy banks - sometimes that greed pays in your favour