Recently, our company received a letter stating from our merchant bank that we will be charged a $27/mth of non-compliance fee commencing July 1, 2009 unless we pay either $59 (for dialup apps only) and $119 for "scanable payment apps that are on the Internet" for SAQ validation. We are forced to log into the Trustwave's portal which I assume that they've contracted out to be their validators.

We actually have not used the merchant account since opening it. The idea was to have it handy in case our customers have a problem using our application with this merchant bank's acquirer. In any case, there has been no usage since opening of merchant account, which we managed to set up without any fees due to the many referrals that we gave them.

From a QSA's point of view and PCI, I'm curious to know what your point of view is in regard to situations like this?

I would think it would be very difficult for the Acquirer to actually know that you're not processing yet (at the compliance level anyway).

It sounds like the bank is trying to cover some of the overhead it will be required to expend tracking down merchants who have not used the automated (relatively) process.

The scenario you described sounds like an excellent opportunity to review the business need to retain the account (reminds me of the review that should occur around whether or not CHD really, really, really, needs to be retained).

Recently, our company received a letter stating from our merchant bank that we will be charged a $27/mth of non-compliance fee commencing July 1, 2009 unless we pay either $59 (for dialup apps only) and $119 for "scanable payment apps that are on the Internet" for SAQ validation. We are forced to log into the Trustwave's portal which I assume that they've contracted out to be their validators.

We actually have not used the merchant account since opening it. The idea was to have it handy in case our customers have a problem using our application with this merchant bank's acquirer. In any case, there has been no usage since opening of merchant account, which we managed to set up without any fees due to the many referrals that we gave them.

From a QSA's point of view and PCI, I'm curious to know what your point of view is in regard to situations like this?

I would formally advise the bank in question, that you do not agree to pay any service charges and instruct them to close the account if they do not agree to waive all PCI related 'Non-compliance' service charges. If they do not agree to waive the charges and choose to close the merchant account, I would strongly suggest you cease all business relations with this bank. This as close to the definition of a classical "scam" as it gets.

Sounds like a very lucrative business for a bank to set up a whole series of non-performing merchant accounts and levy 'Non-compliance' PCI-related penalties on each one.

You should see the amount on the warning letter I received from one of the closed brands, should I be late in submitting my ROC.

You should see the amount on the warning letter I received from one of the closed brands, should I be late in submitting my ROC.

I'm not familiar with the term 'closed brand'. Is it something unique to either the US or your state.

Could you please explain the term 'closed brand'.

I'm not familiar with the term 'closed brand'. Is it something unique to either the US or your state.

Could you please explain the term 'closed brand'.

(credit to Chris Mark).
An open loop brand model allows entities outside of the brand to be the issuer and the brand facilitates the transaction, usually by owning the network.

In a closed loop model the brand is the issuer and acquirer, and usually owns the network as well.