Comment Regulatory Compliance Costs (Score 1) 562
Actually there is a fiscal reason that doesn't have anything to do with profit directly, but the cost of regulatory compliance. I work for a small electric utility that takes online credit card payments and payments via phone. If people understood how much it costs us in time and equipment to maintain regulatory compliance for PCI/DSS alone they might stop asking some of these questions. We spend hundreds of person hours a year to maintain our ability to provide this service to our customers. We have to perform regular internal audits. We have to perform vulnerability assessments and mitigation specifically related to PCI compliance that we would not otherwise have to mitigate. We have to pay for external audits. We have to maintain, audit, track, systems that are there specifically so that we are PCI compliant. Systems that duplicate other perfectly acceptable and functional systems but those systems don't meet certain criteria that make them 'compliant'. Failure to maintain the correct paperwork, audits, assessments, equipment, and documentation for all of the above (yes we have a paper trail to document our paperwork) can result in fines or loss of our ability to accept payments via online or phone. We only have about 40,000 customers but we dedicate close to $100,000 year in hours, and this doesn't include additional firewalls and network infrastructure capital and maintenance costs.
These regulatory burdens apply to ANY entity that accepts credit cards or e-check via phone or online. So whether you see the figure as a line item or not, you are paying for it.
These regulatory burdens apply to ANY entity that accepts credit cards or e-check via phone or online. So whether you see the figure as a line item or not, you are paying for it.