At VGS, we often get asked by prospective customers about the true costs of PCI. We’ve written about this topic before in broad strokes. Ultimately, the potential costs of PCI non-compliance are catastrophic, both financially and reputationally. But those big numbers can be scary and seem unreal. So let’s put a good summertime analogy to work in explaining how costs arise for two different market players - a small merchant and a SaaS platform with integrated payments.
This first blog post will look at the direct costs and concerns of these two entities. Part two will speak to the indirect costs of PCI non-compliance and the steps you can take to avoid the ice-cream headache-inducing complexity of running and growing a secured business.
PCI Non-Compliance Fees - The Local Shop
I live on Cape Cod, where zoning laws practically require an ice-cream shop to be within 100 yards of any residence during the summer. Summer destinations are some of the core holdouts of traditional cash-only businesses amidst the tide of payment digitization. While there are still one or two novelty shops sticking to cash-and-carry, the majority are now accepting cards – and the PCI scope that comes with them. If I were to put a PCI DSS Self-Assessment Questionnaire (SAQ) in front of the shop owners for the first time and tell them to have it completed in 60 days, they might immediately go back to cash (I would).
But more likely they would put it away and just shoulder the regular merchant non-compliance fees coming in from their payment service provider (PSP) which may range from $0-$50 per month. They would also likely pay a regular PCI-Compliance Fee that goes towards maintaining the PCI-Compliance Program of their PSP in the same $0-$50 dollar range monthly.
As a Level 4 (<20,000 ecommerce transactions annually) merchant, your shop is required to complete a SAQ and complete an attestation of compliance (AOC) annually, which are often found in the same form together. Your provider may either leave the SAQ completely up to you where you submit to them, streamline the completion of a SAQ on your behalf via click-throughs and e-signature, or have a 3rd party coordinate PCI requirements on their behalf.
Total Cost: 10 Cones/Month and assumed risk of processing shutoff at the processor or partner’s discretion for extended non-compliance.
PCI Non-Compliance Fees - The Ice Cream SaaS Platform
Now let’s say you are a Software-as-a-Service company catering to the ice cream industry. Perhaps you are a payment facilitator already, or maybe you are in partnership with one to handle your payments. Either way, you have a growing book of ice-cream shop merchants - managing logistics, inventory, payroll, and customer payments across 42 states and 417 flavors. Here the stakes are higher:
- How do you coordinate card-payments for your platform customers across each function?
- On your website via an embedded iframe from your payments gateway provider? (low PCI-scope as the payment information never hits your servers)
- Using your own code to submit payment information directly to an API? (high PCI-scope as you handle the payment information directly)
- Through a mobile-app using an SDK or js browser (variable PCI-scope based on how you build)
- If your application handles acceptance, transmission, or storage of card-data, you will likely need to complete a SAQ-D Service Provider
- If you transmit over 300,000 card transactions per year you will qualify as a Level 1 Service Provider for PCI. At $5/cone that’s only $1.5m in total volume across all your ice cream companies! All-in Level 1 costs (including personnel, audits, testing, and opportunity costs) can easily become extreme if you are doing it yourself (and merely prohibitive without the right partners).
- Finally, even if you are not a Level 1 Service Provider, you may bear some responsibility as a service-provider for coordinating each ice cream shop’s PCI compliance.
Failure to adhere to any of the requirements above could result in audits and fines, with your acquirer passing fees ranging from $5,000 to $100,000 to you and your ice cream shops until compliance is met. Cyber-insurance covering breaches and lost business due to prospects who use alternate providers based on the Visa Service Provider Registry are also costs to consider.
Direct Compliance Cost: 100-20,000 Cones/Month and assumed risk of processing shutoff if the acquiring bank or card networks so chooses.
The Scoop: End of Part One
Part one showed how we have gone from a simple cash-based ice-cream store to a comprehensive software package and all the facets that can lead to PCI confusion and costs - just these direct costs for non-compliance can be daunting. Simple questions for an ice-cream shop like: “Can your cashier enter card information manually if a customer has a scratched up card?” or “”Do you offer online orders for ice-cream or merchandise?” Can have significant PCI implications.
For the software provider, potential PCI costs and responsibilities may deter you completely from integrated payments again. But like the cash-only ice cream shop, you run the same risk of becoming a novelty or a relic as our world becomes inexorably cash-less. Perhaps more likely, you may opt to go with the simplest drop-in solution instead of something branded, integrated, and on your own terms.
In part two we will look beyond the direct costs of PCI non-compliance. With the right partners, PCI compliance can mean opportunities, flexibility, and revenue instead of a burdensome hurdle. Remember, here at VGS we are enablers and growers, so stick around for how we do both of those things for you in the realm of PCI (and frozen desserts).
Khyati Srivastava 
