North American Bancard Complaint - North American Bancard, PCI Compliance Trouble, Possible Scam/Fraud/Deceptive Practice
Here is a story I urge anyone considering a merchant account, or have one already, to read. It involves some very strange practices by a credit card processor, North American Bancard. My hope in writing this is to bring light to this issue, since PCI compliance is an unknown to most small merchants. I hope other processors do not follow in the steps of North American Bancard. I'm not sure if what North American Bancard is doing is illegal, but it sure sounds bad and at least has to be considered deceptive.
Sometime in late 2008 I referred a friend of mine to North American Bancard (NAB) for credit card processing. They ran a small grocery store and needed a simple swipe machine. They received their merchant account from NAB and started their business and use of the machine. Sometime in November/December a statement came in the mail with a note saying that there will be a PCI compliance fee of $79.99. I offered to help find out what this PCI compliance was and get them 'compliant'.
I first spoke to NAB in early December, asking what the fee was for. They said it was to get us PCI compliant. They made it sound pretty simple, pay the fee and you are compliant. The fee was $79.99 per year. I inquired if we can get our compliance from someone else, as it sounded pretty strange to begin with. The representative said I could go somewhere else for the service, and if I provided the compliance paperwork they would remove the charge. It's good to do some research before blindly paying a fee, maybe it was cheaper elsewhere? Some research was due.
Asking a few more questions, I found out that the fee was apparently for help from Mcaffee (the virus and security company) for their PCI compliance service.
Doing a bit of research on the internet, I found the the official PCI compliance website, or more properly the "PCI Security Standards Council" at http://www.pcisecuritystandards.org/
You can read a summary about the PCI organization at: https://www.pcisecuritystandards.org/about/index. shtml
It's basically a council formed by the big credit card companies to come up with security standards to help avoid credit card fraud.
Looking at the website initially can be overwhelming, and I think this is what NAB is counting on, the merchant getting 'lost' in all the regulations. Digging more into the site gave a list of approved security vendors, which I might require the help of, to get PCI compliant. They use acronyms for their certified for these folks.. QSAs (Qualified Security Assessors), PA-QSAs (Payment Application Qualified Security Assessors), ASVs (Approved Scanning Vendors). The heart of the regulations appear to be aimed at big retailers or other big businesses which store your credit card number and other information. Although it applies to everybody, there are obviously differences in the regulations (and compliance requirements) between a grocery store running 5 credit cards per day on a terminal machine and a big company like Sears or Amazon, which might collect and store information on thousands of customers per day. These rules appear to be aimed at preventing the major breaches in customer information (and hence fraud) we hear about in the news so often these days.
A call to one of the approved providers got me some helpful information. He asked me a few questions and in the end told me to go to the PCI compliance website, fill out the appropriate self-assesment questionare sign it and that was it. He seemed disappointed when I told him we only had a dial-up terminal, and he explained they mainly deal with big companies who need security advice and scans on their networks and servers. I'm sure he was not happy that I couldn't be a customer of theirs, but he was polite and honest in explaining that I didn't need their service.
I further dug into the PCI compliance website. There I found the 'Self-Assessment Questionnaire'. Reading the requirements again, it states that if you have small volume with only a dial-up terminal, you qualify to fill out the questionnaire and sign it. Sounds good, this is what the security provider told me. We fill out the forms (which stated pretty basic stuff like securing the little paper receipts with the card information on them) signed them and faxed them in to NABs PCI compliance division. This was in early December.
We got a call from NAB in late December stating that the PCI compliance paperwork was incomplete. When asked why, we were given the answer that we needed a 'network scan' from an approved PCI vendor. We explained that we were told by a PCI approved vendor that since we only had a dial-up terminal we didn't require a scan. NAB told us no, that we needed one and if we didn't get one the fee would be charged.
OK, before I continue let me give you some background on the store where this supposed 'scan' has to take place. Its a grocery store about the size of your living room, has two employee/owners, a married couple running the whole thing. The business does not have any computers. The only computer this couple owns is at home, which I estimate is at least 5-8 years old, no internet access (they canceled it a while back when they couldn't figure out how to use the computer). If you have any friends like this you know what I'm talking about, they can't use the mouse properly and it takes them about a minute to find and type out one word. When they do turn it on every 3 months, you get a frantic call asking how they shut it down because you told them that just turning it off was not good... it's START.. on the lower left hand corner.. then SHUT DOWN.
Back to the NAB call.. they told me that I can speak to their compliance provider if I had any questions. OK, good, got their number*, and this turns out to be Mcaffee's PCI compliance division. A call to Mcaffee brings a helpful gentlemen on the phone, I will not use his name on the internet, but will call him M-REP1*. I explained to him the situation and asked about this scan. He knew my situation precisely. He told me that they have been getting a LOT of calls from NAB merchants just like us, and he said that since we only have a dial-up terminal a scan cannot be made. He also told me the exact same thing the PCI compliant representative did (from our initial contact with another PCI verified vendor) on our inquiry several weeks before: To go to the compliance website and fill out the Self-Assessment Questionnaire, sign it and send it to your merchant processor, and that would be all that is required. I said we already did that, thanked him and hung up to call NAB back.
I called NAB back. Spoke to a customer service representative and explained what Mcafee and the original PCI vendor told us.. they put us on hold to ask a supervisor. When they came back they again told us we needed to have a scan done, and that if we didn't get one they would charge us the $79.99 to get it done. I honestly didn't know what to say at that point. What were they going to scan??? No coherent answer was given to this question. After the call I wasn't sure what to do, 2 PCI verified vendors were telling me one thing (one of them being the compnay NAB was supposedly contracting to do these scans) and NAB was telling me something else. Out of desperation I called Mcafee back.
I called Mcafee back and out of sheer luck I got the same person I spoke to before. I explained to him what NAB said and he seemed outright frustrated, he told me again of all the calls they have been getting from NAB customers, I told him I though this was a big scam, he said nothing. He explained again that since there was no network he could not issue me any 'scan' certificates, and reiterated that all I needed was a self signed certification for the dial-up terminal. I told him I knew this, but NAB didn't want to believe me. I asked if he could send me any official statement about this, he graciously agreed and in a short time I got an official written record from Mcafee's PCI certified compliance department explaining that they could not issue me a scan certificate since there was nothing to scan, they also mentioned (again) that for a dial-up terminal all I had to do was fill out and sign the Self-Assessment Questionnaire, which was available free for everyone on the PCI councils website, he even provided a link to it. Reading the PCI compliance website some more, this makes sense, if you have a plain old dial-up terminal the only possible avenue of fraud is the information on the little receipts it prints which the customer has to sign. If you secure these, there is no other avenue of possible fraud (this is mentioned and its security is required in the certification you have to sign). Of course there is the dial-up terminal itself, but this is provided by NAB and you have no real control of the security aspects of this terminal. By the way, the terminal itself IS PCI compliant already.
I have sent this information to NAB and I'm waiting for their response. I don't expect to hear back from NAB any time soon, it doesn't matter at this point, if I get this charge removed or not I will continue to collect information and post my experiences with NAB, hopefully informing other small merchants of this practice. I know from talking to the PCI representative that this is a widespread issue and NAB is trying to collect erroneous fees from their small unsuspecting merchants, the small month and pop shops who usually will not research this issue and will probably just pay the fee. For these merchants I'm not even sure what the supposed PCI service that NAB is charging for is. Since they always seemed to reject the validity of the self-assessment questionnaire that is posted on the councils site. Their $79.99 scan of thin air will accomplish zero for these merchants. Reviewing, filling out and complying with the councils questionnaire is all that is needed.
I'll leave you with one more bit of information, during my Internet searches I came upon a list put out by VISA which is posted on their site, named the "List of PCI DSS Compliant Service Providers". It is a PDF document with PCI compliance status of service providers. The list is available here:
And as of the end of December 2008, if you do a search in the document for "North American Bancard" you will see them in the list with a compliance date in YELLOW text, what does this mean? According to Visa this is a service provider with a compliance report that is "... 1-60 days late are noted in yellow ..."
Now ask yourself if you are willing to trust or give business to a company that will provide a scan of something they cannot even describe, for a fee of $79.99, something that no one else is willing or capable of doing, and with which they appear to be late in complying with themselves.
If you are anyone in a position to help, State Attorneys office, credit card company personnel (VISA/MASTERCARD/.DISCOVER/AMEX), business organizations, someone from the PCI council, or just have a story or comment about this please email me at firstname.lastname@example.org
*NOTE: I have omitted names, or used references to certain people, extensions, and some contact information to protect peoples privacy. If I am contacted by official sources who might help in this matter I will provide more information.
Company Response on 1/8/2009:
Dear Concerned Friend,
North American Bancard works very diligently to resolve all customer issues and complaints. Since our inception in 1992, we have worked with over 125,000 merchants of all sizes and levels of complexity. We provide a high level of service and support to our customers, as is evidenced by the low number of complaints we handle. Occasionally we, like any other large company, may make a mistake or mishandle an issue. When these are brought to our attention we resolve them to the best of our ability. Our 250+ employees work hard every day to make doing business with NAB a pleasure for our merchants and stakeholders, all we ask is the opportunity to recover well.
North American Bancard values the business of all of our merchants and we do not take complaints lightly. In an effort to address your many concerns and provide you with some very pertinent information specific to the PCI compliance mandate, we have compiled the information below for your review. Please keep in mind that your individual concerns regarding your “friend’s account” can only be addressed by making some general assumptions since specific account information and the business name were not provided for accurate research.
There are numerous organizations and groups that cater solely to the Small Business Merchant, such as the National Federation of Independent Business (NFIB), who have taken an active role in informing Small Businesses such as your friend’s on the requirements and importance of being PCI compliant.
The PCI Data Security Standard (PCI DSS) originally began as five different programs from the five credit card schemes (Visa, MasterCard, American Express, Discover, and JCB). Each company’s intentions were roughly similar: to create an additional level of protection for consumers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data.
The Payment Card Industry Security Standards Council (PCI SSC) was formed as a neutral body to address conflicts among the credit card schemes in developing a standard. On Dec. 15, 2004 the credit card schemes aligned their individual policies and released the Payment Card Industry Data Security Standard (PCI DSS).
North American Bancard values the business of all of our merchants and we take pride in keeping all of our merchants informed and up to date. We ensure that our company information is easily accessible for our merchants and continue to strive to be an industry leader and innovator in the credit card processing industry. It is because of that that we are taking a proactive role in ensuring all of our merchants meet the PCI compliancy requirements. All entities involved in the collection, processing, and storage of credit card information, regardless of size or affiliation must be compliant. It is an industry mandate imposed on all service providers and merchants that accept credit cards.
We notified our merchants of this mandate and the onetime $79 fee on their November 2008 statement. They were advised that the $79 fee provided them with access to the tools that can help them achieve and maintain compliance. We have also advised our merchants that the fee was not imposed on them from McAfee nor does it cover the cost of software. It is the fee assessed to all of our merchants to mitigate the costs associated with becoming and maintaining compliance, updating terminal software nationwide (including enhanced protocols for protection of cardholder data passed by the Fair and Accurate Credit Transaction Act (FACTA) mandating how card numbers and expiration dates must appear on receipts), providing applications with enhanced security, and replacing non-compliant hardware.
You posed a question in reference to the “differences in regulations” for merchants of different sizes and sales volume. There definitely are differences in what is required for each merchant type, but it is not solely based on their size or sales volume, it also takes into consideration what they use to process (software, telephone, terminal etc.). Although your friends grocery store may seem small in comparison to a big box retailer, such as Sears as you stated, both companies are at risk for security breaches if they are not in compliance. The PCI compliance mandate not only pertains to how you process credit cards, but also how you store and transmit that credit card information. For example, let’s say all of your terminals and/or software are PCI compliant, but you use some sort of offline accounting system or you store all of your cardholder information on a laptop. The laptop is later stolen, relinquishing you of all that cardholder information. You have now encountered a security breach that could have been avoidable, yet you are now potentially at risk for serious fines, penalties, and/or lawsuits. Hopefully your friends would not make this careless mistake, but there are thousands of merchants big and small that have. If there was not a problem this industry wide mandate would not have occurred. There are many merchants big and small who value these services and need them to ensure their business practices are within guidelines and that they are not penalized for actions that they were unaware of. That is only one example, and there are many more that the PCI council can advise you on. Please keep in mind that we do not work for the PCI council, nor are we on their board or have membership in their organization, but we, like our merchants, must be in compliance.
North American Bancard partnered with McAfee, a leader in the security risk management industry, in late 2008 to give our merchants full access to McAfee PCI Compliance Service at no charge. There are only a few steps our merchants need to complete to determine if they are in compliance. Our retail merchants (those that do not process credit card transactions online, with software, and are not considered e-commerce) will need to go to the website www.NABPCI.com and complete the Self Assessment Questionnaire. Upon completion they will need to fax a copy of the completed Questionnaire to our Customer Service department at (248) 283-6260 for validation. Our E-Commerce merchants (those that are processing via the Internet, with software, and/or online) will also need to go the website and complete the Self Assessment Questionnaire in addition to utilizing the Scan Tool. Upon completion of the Scan Tool, the E-Commerce merchants will receive a compliance Certificate if they are in compliance. This certificate is good for 12 months and they will also need to fax it to our Customer Service Department for validation at the number stated above.
Please note that some terminals are capable of processing credit card transactions online (IP) and via dial-up. Merchants with these terminals would be required to complete the Scan Tool regardless of how they process to ensure the device itself is compliant. In regards to your concern pertaining to the “network scan”, without the account number or business name we are unable to identify your friend’s specific account, and therefore have no way of accurately identifying which type of equipment they have or if the information they were provided with was inaccurate.
In conclusion, all merchants, whether small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirements for organizations that process, store or transmit payment cardholder data. The PCI Security Standards Council (PCI SSC) is responsible for managing the security standards while each individual payment brand is responsible for managing and enforcing compliance to these standards. For questions regarding compliance validation requirements and deadlines as well as compliance reporting requirements, please advise your friend to contact North American Bancard’s Customer Service Department at (1800) 226-2273 extension 1300. In regards to refunding the onetime only fee of $79, we will do so if the merchant became compliant prior to our notification in November 2008. For more information regarding the PCI security standards, please refer to their website https://www.pcisecuritystandards.org/.
North American Bancard
More Reviews on North American Bancard: