Acquiring Bank's PCI Charges

[SecureTrading]

We work closely with Lloyds and are aware that they introduced a new PCI-DSS Compliance Management Service for Level 4 Merchants that carries a £5.50 monthly charge once enrolled or a monthly inactivity fee of £15 per outlet (MID) if you fail to complete the enrolment process within 3 months of receipt of a letter from Cardnet providing the initial password for access to the PCI DSS portal.

There is a monthly non-compliance fee of £30 per outlet (MID) if Cardnet determines that the retailer has failed to complete the annual PCI DSS validation process and attestation of compliance on the PCI DSS portal within 6 months of receipt of a letter from Cardnet providing the initial password for access to the PCI DSS portal.

What we want to know is:

1. What are the other acquirers doing?
2. How much are they charging?

And most importantly:

3. What do you think of these fees?

 

[kulture]

I use streamline, and before them HSBC. Both of them asked me to get PCI compliance and both recommended Security Metrics. I pay £95 a year for this. I do not like having to pay. In general I do not like any additional charge. I do however understand that they want to improve card data security and customer confidence. I would be more happy to pay if the banks advertised this more and sold customers on the benefits. Thus increasing online sales.

The "fine" for non-compliance is meant to cover them for the increased risk.

 

[SecureTrading]

I'm assuming you are using a payment service provider (PSP) on top of this?

Do you host your own payment page or does your PSP?

 

[kulture]

I use sagepay. I use their most secure interface which is the server interface. Thus Sage actually host the payment form on their server (and is displayed in an iframe). It proved impossible to persuade the stupid monkeys of Security metrics that I did not host the form. They are of the opinion that because my URL was at the top I hosted it. To be honest I do not mind paying for the quarterly scan as I feel it is good practice to have a secure server, and the scan goes part way to checking this.

If the PCI rules get tighter and they insist I use a PA-DSS compliant payment application, then I will have the argument again.