Non-compliance fees are viewed by many as an acceptable short-term solution to a merchant’s unwillingness to engage with a compliance program. However, often despite the best efforts by acquirers, some merchants continue to remain disengaged.
So when a merchant ignores notifications regarding their non-compliance status and the application of non-compliance fees, it may be time to change tactics and consider alternative approaches to drive engagement and compliance.
There are numerous steps that acquirers can take to maximise merchant engagement with their compliance programs, many of which are outlined in a previous article entitled ‘Creating a successful Merchant PCI DSS Compliance Program’.
For merchants who ignore such efforts, a non-compliance charge can often be enough to prompt action. However, sometimes despite persistent communications by the acquirer and the on-going application of a non-compliance fee, some merchants simply never engage.
In such cases, charging them on a continuing basis is not good practice and provided reasonable time has been allowed, it may be appropriate to adopt tougher measures.
So why do businesses not engage?
There are many reasons why businesses don’t engage with such programs; some of them easier to address than others.
“I didn’t know I had to!”
Sometimes poor engagement can be due to a lack of, or minimal communication. Busy merchants can sometimes miss one-off notifications regarding fees, or even additional charges hitting their merchant account because they don’t always have time to go through their statements in detail.
If non-compliance fees are being applied acquirers must ensure that, at a minimum, regulatory compliance requirements are being met, and at best that they are communicating with merchants on a regular basis.
“I just don’t have the time”
For many the reason is quite simply time or resource related. When you have a long to-do list, mostly concerned with keeping your business open and profitable, compliance and security will generally be of low priority. We know that the vast majority of businesses want to make sure their customer information is safe, they just have so many other things to think about.
For this type of merchant, the fee is sometimes a small price to pay for the time and effort it would take to get secure and compliant.
“It’s too technical”
Most small and medium-sized business owners are not technically minded. More and more they are looking to outsource their business’s IT requirements and this is one more technical issue that they don’t want to have to deal with. Whether this reason is real or perceived, it’s definitely one that’s very often given for not engaging.
“I can’t get compliant, it would cost too much or it would require major change”
For some merchants, cost or the level of change is an issue, often related to upgrading their payment terminals, systems or business processes. Whilst this is a valid reason, it is one that warrants help and guidance rather than simply being punished with a continuing non-compliance charge.
Whatever the reason, and often you may not know the reason because the merchant is not engaging, it’s difficult to justify a perpetual, non-compliance charge. Even though the business is willing to pay the charge, these small charges add up and over a few years and can become a significant amount.
For example, in the US, merchants pay an average of $13 per month in non-compliance charges , that’s about $150 per annum but can be as high as $300 per annum – difficult to justify when it comes to smaller size businesses.
The case for non-compliance charges
Undoubtedly, for some merchants a combined carrot and stick approach is required. So firstly it’s about helping the merchant understand the value of PCI DSS compliance and their acquirer’s commitment to helping them through the process.
Then if necessary, a non-compliance fee, or even the threat of one, can be a very effective means of prompting action. It is however, essential that the merchant is given sufficient notice regarding application of the fee and also that communications continue in order to remind the merchant that the fee is being applied, and of the action needed to stop the fee.
Such communications are good practice and indeed, very often required for reasons of regulatory compliance.
The case against non-compliance charges
Merchants who remain in a state of non-compliance without any communication with their acquirer are no doubt a considerable risk. However, non-compliance charges that are simply levied without any effort to engage the merchant and help them towards compliance is not good practice and may be viewed as just another charge from acquirers looking to boost revenue.
It leaves merchants without appropriate security measures in place and increases the likelihood of breaches. In addition, such charges also increase the likelihood of merchant churn in the long run. So not good for merchants and not good for Acquirers long-term.
To charge or not to charge?
Some acquiring organisations simply apply charges without doing anything to encourage the merchant towards compliance, this practice gives such compliance and security initiatives a bad name. However, most acquirers do encourage their merchants to engage and to be compliant and secure.
Some do it through education programs, aimed at educating merchants on the benefits of being compliant and secure, and also on the possible threats to their business for not doing so.
Others have very comprehensive communications programs that ensure their merchants are fully informed regarding the action they need to take and when. They are also very diligent in reminding merchants when important deadlines have passed and charges are being incurred.
All of these steps are welcome, but unfortunately often not enough and therefore, non-compliance charges may be seen as necessary. There are other actions that acquires can take to encourage engagement and compliance but some need to be weighed up against the possible negative effects on customer relations.
Long term non-compliance strategies;
There are two main strategies that acquirers can adopt as alternatives to unending, non-compliance charges; change consequences or change proposition. Each should be considered with the acquirer’s end-game in sight. What are you ultimately trying to achieve?
Incremental fees; one option is to increase the non-compliance fee over time. This may address the issue of the fee being a small price to pay for not having to go through the compliance process. However, it is really more of the same and does little to address risk; merchants will have different thresholds and they may simply move to another acquirer with a fixed non-compliance charge.
Withhold funds; rather than applying a fee, acquirers have the option of withholding the merchant’s processing funds until they have engaged and are actively working towards compliance.
This is quite a drastic measure to take and again, communicating the action pre and post-event is essential. While this action is likely to be successful in getting the merchant’s attention, it could be detrimental to the customer relationship.
Notice of termination; if alternatives fail it may be necessary to consider serving the merchant with notification of termination. This is obviously the most drastic measure and one that should only be considered after all other avenues have been exhausted. Again, even if this does prompt action, it is likely to have a negative effect on the customer relationship.
Another option is to replace the non-compliance fee with compliance and security value-added services. Encourage merchants to consume appropriate solutions from within your own product portfolio or via a third party in order to simplify security and reduce scope.
By making appropriate compliance and security services easier to consume, acquirers can achieve their objectives of reducing risk without damaging customer relationships.
In a US market study, 82% of acquirers reported that imposing non-compliance fees resulted in more merchants achieving PCI compliance . Therefore, they are a possible short-term solution to a lack of engagement and action on the merchants part, albeit not a very proactive, relationship building, or long term one.
With comments like ‘I don’t have time for this’ and ‘Can’t you just do this for me’ received on a regular basis, it may be time for a different approach.
If you genuinely care about your customers and want to provide them with a valuable service at a reasonable price, long-term non-compliance charges are not an option. For the majority of acquirers, the objective is to reduce risk by maintaining a secure and compliant merchant base and it seems the answer is to make it as easy as possible for those merchants to get compliant.
When you have done everything you can and a merchant is not willing to complete the process or have someone help them to do it, then it may be time to part ways. Saying ‘this is about security and reducing risk’ is not enough, your actions must match your words.
At Sysnet, we understand that security and compliance can be complicated. We simplify it, by taking the work away from the customer with Sysnet Proactive Data Security. Our Proactive Data Security services can help your customers at whatever stage they are with outsourced assistance. For further information request a callback or email firstname.lastname@example.org
 ControlScan and MAC 3rd annual survey, Building momentum Acquirer study 2013
If you are a merchant that requires technical or PCI DSS help, please click here