Recovering the Cost of Compliance from Customers

[MistySue]

Hello All, I am not sure if this is the correct spot to ask this question, but none of the other forums looked right either.

I am wondering what other companies have done to recover the cost of PCI Compliance from customers. For my company a lot of the custormers are pushing for PCI. We would like to charge for this service as there are not a lot of companies in Canada that are compliant. Have any of you done this and what was your experience/ideas.

[jonassono]

All of my compliance work is with Canadian companies and, yes, there are very few that have validated their PCI-DSS compliance.

To the best of my knowledge, no clients are openly charging back the compliance costs (as an additional fee on the transaction slip) to their customers, but maybe not such a bad idea.

1000's of small merchants now advise customers of a small additional fee ($.25 to $.50) for payment card purchases versus cash for transactions under $5 to $10. Not certain how the additional fee is working, i.e. ratio of fee payers to use a payment card versus opting to use cash.

In your case, perhaps you could simply advise customers that a small additional fee for all credit card purchases will be automatically added to the purchase to cover the cost of PCI-DSS compliance.

You may want to check with the card brands you accept, your merchant bank and your acquirer before proceeding, as there may be restrictive covenants in place that prohibit this practice.

[MistySue]

Hey Jonassono, Thanks for your reply. I actually work for Call Centre we are a third Party Service supplier. We do all e-commerce transactions. Basically we take the call authorize or process the card using either an online processing company or the client's site. However we are still required to be PCI compliant. Do you think there would still be restrictions in place, as we already charge per minute for time the call takes (which includes time for the transaction)

[jbhall56]

In the SAS 70 world, it's not unusual to have a data center or call center charge their customers a fee to obtain a copy of the SAS 70 report.

Therefore, I would think it's not out of question for you to charge some sort of fees to be PCI compliant and for conducting whatever work you might have to to be PCI compliant.

Billing by the length of call is not controllable and would likely irritate your customers. After all, you would penalize customers whose customers are less organized and therefore take longer to conduct the transaction. That's not necessarily your customer's fault, but does affect your ability to process more calls per operator. I would recommend surcharges per call instead for PCI costs as well as for any reduced efficiencies of your operators due to extra call lengths. I would think that is a much more justifiable way to recoup your costs.

[jonassono]

Quote:

Originally Posted by MistySue

Hey Jonassono, Thanks for your reply. I actually work for Call Centre we are a third Party Service supplier. We do all e-commerce transactions. Basically we take the call authorize or process the card using either an online processing company or the client's site. However we are still required to be PCI compliant. Do you think there would still be restrictions in place, as we already charge per minute for time the call takes (which includes time for the transaction)

Since you are a service provider and not a merchant, you can pretty much do as you as wish, within the confines of your SLA's/OLA's or contracts with the merchants you serve.

If you can readily quantify your PCI-DSS compliance costs, it would be fairly straightforward to add these costs somewhere in your billing stream, i.e. increase the per minute call charges, add a % at each merchant invoice cycle....