I have my credit card through a merchant services and I process it through their online portal. I charge $5k-$15k per month on it. They're now charging me for non PCI Compliance. Is this normal? They say they want to put a program on my PC that scans everything and puts documents on it and scans for credit card info. I'm a home based small business and they want enterprise grade equipment on my network. They want multiple layers of firewalls among other things. Is this right?
That sounds a little more invasive than what I've seen. Here's a real rough breakdown. Basically, PCI Compliance is required for all merchants since some time in 2009. Visa/MC mandated PCI in 2009 and even after 2 or 3 years, small merchants didn't know or care about proving compliance. For small merchants, which is under several million per year, Visa and MasterCard essentially said that processors are 100% liable for costs if one of their non-compliant merchants suffers from a data breach. Since processors want nothing to do with that sort of liability they are pushing the merchants into PCI compliance programs, which are not free to implement, and most are fining their customers that do not get compliant. With that being said, there is absolutely nothing in PCI standards with regard to any provider putting software on your computer. It's not against regulations to store card numbers, so I'm not certain what they are even trying to accomplish. PCI should consist of a self assessment questionnaire and a security scan of any internet facing computers, servers, ip addresses, etc., that have access to the network where you enter credit cards. The questionnaire has specific sections which require a merchant to implement written policies and adhere to specific best-practices guidelines for security. It's important to understand that PCI is only a standard so being PCI compliant does not make a business secure and it does not offer amnesty from cost if there is a data breach. You can get more information about actual PCI at the website that is run by the security council. The security council was established by all of the major card brands. - https://www.pcisecuritystandards.org/ Your best bet is first off not to store any card numbers on your own equipment. This takes you business out of most of the scope of PCI. Secondly is to use the most secure and simple method of actually accepting cards. If you are keying them into a gateway, which is what I'm assuming, there is very little risk that you would suffer a data breach. Realistically the only vulnerability would be if you aren't connecting via SSL, or there is a keylogger on your computer. Personally, from a merchant, service provider and IT standpoint, I would not allow any other individual to install software on a computer or any device under my control. I would go through the questionnaire and make sure that you are using best practices. If you can better describe exactly how you enter payments, I can tell you which version of the questionnaire you need to fill out. The PCI website also has a "which SAQ do I need to fill out" FAQ.