This will be the fourth time I have written about the snappily titled Payment Card Industry (PCI) Data Security Standard (DSS) over the past year. But the ‘good’ news is that I now know what a complete con it is - not that there is any way around it for the small independent retailer. It’s a proper stitch-up.
Keran Patel, who runs the delightfully-named Purley Bon Bon in Surrey, rang up after he read my piece on PCI DSS in the 25 October issue. I had mentioned that this ‘protection’ compliance requirement if you take plastic in your store would cost you about £30 a year. It is costing him nearly a hundred quid a year and he wanted to know why. He sent me his merchant card processing statement from First Data which does the biz for Bank of Scotland and I could see that his compliance management fee costs £4.99 a month and the maintenance fee for same was £2.99 a month = £7.98 a month. Yep, you read that right he is paying a maintenance fee on the management fee. And he’s been paying it for about two years now.
He said: “This is just to make sure I store the slips in a sensible place until the statement arrives.”
His terminal is provided by 3-R Telecom so Keran suggested I talk to them to find out whether he could opt out of this senseless requirement.
I spoke to one of its directors, Paul Wootten, who actually has a degree in compliance from the University of Johannesburg in South Africa.
He helped to build the system in the first place, but in a good way: to help prevent money laundering on a global scale. But, like Frankenstein, the creation has returned and been grabbed by the financial sector.
He says: “The banks provide the device and the software and then charge the client. When the client prints a receipt it only has the last four digits on it, but the banks break their own rules when they send the statement to the retailer because they provide the full details so the retailer must be PCI compliant to protect the bank (in case details get used in a fraudulent way).”
Paul calls it “an absolute rip-off” and adds that the banks can charge up to £70 a month in penalties if you don’t comply. He reckons it goes into a slush fund. “The big card guys say it generates one-third of their profits. They do no processing, nothing for it at all they just take the money.”
No one knows quite how it is divided up between the card companies and the banks, and that’s because they prefer it that way.
And here’s a final interesting thought. 3-R believes that the supermarkets don’t pay the banks a penny for compliance.
I could write more - about how, for example, the PCI website has a ‘quick’ guide for small merchants doing self-assessment: it’s 33 pages long. And I could use another 33 to describe what I’ve learnt about PCI DSS. Anyone want to offer me a book deal?