$90 for PCI Validation?  Get real.

Our merchant services provider, Global Payments, sent us a letter stating that we must be PCI Compliant, or face consequences such as fines, termination of our merchant account, and general woe and spiders.  We already follow the prescribed standards.  So, no problem?  No, problem: they want us to pay $90 to fill in a self-assessment questionnaire.


Just to clarify, our amusement is based on the fact that they think we'll pay $90 to do a self-assessment questionnaire.  We already follow prescribed standards, take security very seriously, and recommend you do too.

After about an hour of Googling, because Global Payments was wholly unhelpful as unfortunately per their usual, we discovered this: if you're an e-commerce merchant and process less than 20,000 Visa or MasterCard transactions per year, or if you're NOT an e-commerce merchant and process less than 1 million Visa or MasterCard transactions per year, you qualify as a "Level 4 Merchant".  While Level 4 Merchants must be compliant, they are not required to be validated.  Now there's something that Global Payments didn't mention.

The self-assessment questionnaire can be downloaded for free at https://www.pcisecuritystandards.org/merchants/self_assessment_form.php.  Note that there are several questionnaires; simply read the documentation to find the one that most closely matches your situation.  Once you've verified you're compliant, complete the "Attestation of Compliance" and send it to your Security Assessor.  If you're Level 4, this is sufficient to comply with all regulations, and there's no fee.

It is interesting to note that our account was "reported to your sponsor or bank as complete" the instant we uploaded the file.  There couldn't possibly have been enough time for anyone to read it.  Next year, we plan to upload a PDF that simply says "I BET NOBODY READS THIS".  What do you think will happen?
  1. Tamber
    May 6th, 2012 at 17:38 | #1

    I think that'll just coincidentally be the first time they ever actually look at one.

If you would like a reply to your comment, you must leave your email address! We receive dozens of questions every month from people who don't leave us with any way to contact them, so we have no choice but to ignore the question. We try to reply to as many questions as we can, if we know the email address of the person who asked the question. Thanks in advance for writing in :)

Allowed HTML: <b>, <i>, <em>, <strong>. All other < and > will be replaced with &lt; and &gt;.