North American Bancard, PCI Compliance Trouble, Possible Scam/Fraud/Deceptive Practice
Here is a story I urge anyone considering a merchant account, or have one already, to read. It involves some very strange practices by a credit card processor, North American Bancard. My hope in writing this is to bring light to this issue, since PCI compliance is an unknown to most small merchants. I hope other processors do not follow in the steps of North American Bancard. I'm not sure if what North American Bancard is doing is illegal, but it sure sounds bad and at least has to be considered deceptive.
Sometime in late 2008 I referred a friend of mine to North American Bancard (NAB) for credit card processing. They ran a small grocery store and needed a simple swipe machine. They received their merchant account from NAB and started their business and use of the machine. Sometime in November/December a statement came in the mail with a note saying that there will be a PCI compliance fee of $79.99. I offered to help find out what this PCI compliance was and get them 'compliant'.
I first spoke to NAB in early December, asking what the fee was for. They said it was to get us PCI compliant. They made it sound pretty simple, pay the fee and you are compliant. The fee was $79.99 per year. I inquired if we can get our compliance from someone else, as it sounded pretty strange to begin with. The representative said I could go somewhere else for the service, and if I provided the compliance paperwork they would remove the charge. It's good to do some research before blindly paying a fee, maybe it was cheaper elsewhere? Some research was due.
Asking a few more questions, I found out that the fee was apparently for help from Mcaffee (the virus and security company) for their PCI compliance service.
Doing a bit of research on the internet, I found the official PCI compliance website, or more properly the "PCI Security Standards Council" at http://www.pcisecuritystandards.org/
You can read a summary about the PCI organization at: https://www.pcisecuritystandards.org/about/index. shtml
It's basically a council formed by the big credit card companies to come up with security standards to help avoid credit card fraud.
Looking at the website initially can be overwhelming, and I think this is what NAB is counting on, the merchant getting 'lost' in all the regulations. Digging more into the site gave a list of approved security vendors, which I might require the help of, to get PCI compliant. They use acronyms for their certified for these folks.. QSAs (Qualified Security Assessors), PA-QSAs (Payment Application Qualified Security Assessors), ASVs (Approved Scanning Vendors). The heart of the regulations appear to be aimed at big retailers or other big businesses which store your credit card number and other information. Although it applies to everybody, there are obviously differences in the regulations (and compliance requirements) between a grocery store running 5 credit cards per day on a terminal machine and a big company like Sears or Amazon, which might collect and store information on thousands of customers per day. These rules appear to be aimed at preventing the major breaches in customer information (and hence fraud) we hear about in the news so often these days.
A call to one of the approved providers got me some helpful information. He asked me a few questions and in the end told me to go to the PCI compliance website, fill out the appropriate self-assessment questionnaire sign it and that was it. He seemed disappointed when I told him we only had a dial-up terminal, and he explained they mainly deal with big companies who need security advice and scans on their networks and servers. I'm sure he was not happy that I couldn't be a customer of theirs, but he was polite and honest in explaining that I didn't need their service.
I further dug into the PCI compliance website. There I found the 'Self-Assessment Questionnaire'. Reading the requirements again, it states that if you have small volume with only a dial-up terminal, you qualify to fill out the questionnaire and sign it. Sounds good, this is what the security provider told me. We fill out the forms (which stated pretty basic stuff like securing the little paper receipts with the card information on them) signed them and faxed them in to NABs PCI compliance division. This was in early December.
We got a call from NAB in late December stating that the PCI compliance paperwork was incomplete. When asked why, we were given the answer that we needed a 'network scan' from an approved PCI vendor. We explained that we were told by a PCI approved vendor that since we only had a dial-up terminal we didn't require a scan. NAB told us no, that we needed one and if we didn't get one the fee would be charged.
OK, before I continue let me give you some background on the store where this supposed 'scan' has to take place. Its a grocery store about the size of your living room, has two employee/owners, a married couple running the whole thing. The business does not have any computers. The only computer this couple owns is at home, which I estimate is at least 5-8 years old, no internet access (they canceled it a while back when they couldn't figure out how to use the computer). If you have any friends like this you know what I'm talking about, they can't use the mouse properly and it takes them about a minute to find and type out one word. When they do turn it on every 3 months, you get a frantic call asking how they shut it down because you told them that just turning it off was not good... it's START.. on the lower left hand corner.. then SHUT DOWN.
Back to the NAB call.. they told me that I can speak to their compliance provider if I had any questions. OK, good, got their number*, and this turns out to be Mcaffee's PCI compliance division. A call to Mcaffee brings a helpful gentlemen on the phone, I will not use his name on the internet, but will call him M-REP1*. I explained to him the situation and asked about this scan. He knew my situation precisely. He told me that they have been getting a LOT of calls from NAB merchants just like us, and he said that since we only have a dial-up terminal a scan cannot be made. He also told me the exact same thing the PCI compliant representative did (from our initial contact with another PCI verified vendor) on our inquiry several weeks before: To go to the compliance website and fill out the Self-Assessment Questionnaire, sign it and send it to your merchant processor, and that would be all that is required. I said we already did that, thanked him and hung up to call NAB back.
I called NAB back. Spoke to a customer service representative and explained what Mcafee and the original PCI vendor told us.. they put us on hold to ask a supervisor. When they came back they again told us we needed to have a scan done, and that if we didn't get one they would charge us the $79.99 to get it done. I honestly didn't know what to say at that point. What were they going to scan??? No coherent answer was given to this question. After the call I wasn't sure what to do, 2 PCI verified vendors were telling me one thing (one of them being the company NAB was supposedly contracting to do these scans) and NAB was telling me something else. Out of desperation I called Mcafee back.
I called Mcafee back and out of sheer luck I got the same person I spoke to before. I explained to him what NAB said and he seemed outright frustrated, he told me again of all the calls they have been getting from NAB customers, I told him I though this was a big scam, he said nothing. He explained again that since there was no network he could not issue me any 'scan' certificates, and reiterated that all I needed was a self signed certification for the dial-up terminal. I told him I knew this, but NAB didn't want to believe me. I asked if he could send me any official statement about this, he graciously agreed and in a short time I got an official written record from Mcafee's PCI certified compliance department explaining that they could not issue me a scan certificate since there was nothing to scan, they also mentioned (again) that for a dial-up terminal all I had to do was fill out and sign the Self-Assessment Questionnaire, which was available free for everyone on the PCI councils website, he even provided a link to it. Reading the PCI compliance website some more, this makes sense, if you have a plain old dial-up terminal the only possible avenue of fraud is the information on the little receipts it prints which the customer has to sign. If you secure these, there is no other avenue of possible fraud (this is mentioned and its security is required in the certification you have to sign). Of course there is the dial-up terminal itself, but this is provided by NAB and you have no real control of the security aspects of this terminal. By the way, the terminal itself IS PCI compliant already.
I have sent this information to NAB and I'm waiting for their response. I don't expect to hear back from NAB any time soon, it doesn't matter at this point, if I get this charge removed or not I will continue to collect information and post my experiences with NAB, hopefully informing other small merchants of this practice. I know from talking to the PCI representative that this is a widespread issue and NAB is trying to collect erroneous fees from their small unsuspecting merchants, the small month and pop shops who usually will not research this issue and will probably just pay the fee. For these merchants I'm not even sure what the supposed PCI service that NAB is charging for is. Since they always seemed to reject the validity of the self-assessment questionnaire that is posted on the councils site. Their $79.99 scan of thin air will accomplish zero for these merchants. Reviewing, filling out and complying with the councils questionnaire is all that is needed.
I'll leave you with one more bit of information, during my Internet searches I came upon a list put out by VISA which is posted on their site, named the "List of PCI DSS Compliant Service Providers". It is a PDF document with PCI compliance status of service providers. The list is available here:
And as of the end of December 2008, if you do a search in the document for "North American Bancard" you will see them in the list with a compliance date in YELLOW text, what does this mean? According to Visa this is a service provider with a compliance report that is "... 1-60 days late are noted in yellow ..."
Now ask yourself if you are willing to trust or give business to a company that will provide a scan of something they cannot even describe, for a fee of $79.99, something that no one else is willing or capable of doing, and with which they appear to be late in complying with themselves.
If you are anyone in a position to help, State Attorneys office, credit card company personnel (VISA/MASTERCARD/.DISCOVER/AMEX), business organizations, someone from the PCI council, or just have a story or comment about this please email me at firstname.lastname@example.org
*NOTE: I have omitted names, or used references to certain people, extensions, and some contact information to protect peoples privacy. If I am contacted by official sources who might help in this matter I will provide more information.