$90 for PCI Validation? Get real.
May 3rd, 2012
Our merchant services provider, Global Payments, sent us a letter stating that we must be PCI Compliant, or face consequences such as fines, termination of our merchant account, and general woe and spiders. We already follow the prescribed standards. So, no problem? No, problem: they want us to pay $90 to fill in a self-assessment questionnaire.
HA! HA HA HA! HA HA HA HA HA HA HA! HA HA HA HA HA! HA HA! HA!
Just to clarify, our amusement is based on the fact that they think we'll pay $90 to do a self-assessment questionnaire. We already follow prescribed standards, take security very seriously, and recommend you do too.
After about an hour of Googling, because Global Payments was wholly unhelpful as unfortunately per their usual, we discovered this: if you're an e-commerce merchant and process less than 20,000 Visa or MasterCard transactions per year, or if you're NOT an e-commerce merchant and process less than 1 million Visa or MasterCard transactions per year, you qualify as a "Level 4 Merchant". While Level 4 Merchants must be compliant, they are not required to be validated. Now there's something that Global Payments didn't mention.
The self-assessment questionnaire can be downloaded for free at https://www.pcisecuritystandards.org/merchants/self_assessment_form.php. Note that there are several questionnaires; simply read the documentation to find the one that most closely matches your situation. Once you've verified you're compliant, complete the "Attestation of Compliance" and send it to your Security Assessor. If you're Level 4, this is sufficient to comply with all regulations, and there's no fee.
It is interesting to note that our account was "reported to your sponsor or bank as complete" the instant we uploaded the file. There couldn't possibly have been enough time for anyone to read it. Next year, we plan to upload a PDF that simply says "I BET NOBODY READS THIS". What do you think will happen?