Bye Bye eCommerce

CCG has accepted credit cards for 10 years or more. Today we no longer accept them. The death blow came in two punches.

The first punch came months ago when our merchant account provider began to charge us an annual fee for Payment Card Industry (PCI) Data Security Standards (DSS) compliance. We had to prove to our merchant provider that we handled our client data securely. The only problem is that we can't do that. The reason we can't do that is that we simply don't collect client credit card data in the first place.

Our system has always consisted of a login to access your invoices. If you chose to pay an invoice online, we redirected you to Authorize.net, who collected your credit card info securely, then returned a success or failure code and an email. Our system never handled any of the required data, and only received a pass/fail notice in order to update the status of the paid invoice.

Now, in order to show compliance, in essence, we would have to begin collecting all of this data. Then we would have to store it securely and demonstrate that our security is robust. On the face of it this is ridiculous. Isn't it more secure never to collect and store the data than to do so in the first place? Still, that is not an option on the checklist. The upshot is that our provider began to hit us with an annual compliance fee and a monthly non-compliance penalty. Talk about your catch-22.

We interviewed other providers and were told that, while we would get hit with a one-time fee to prove (or disprove) compliance, we would never be hit every year and certainly wouldn't be fined monthly. Great, sign us up! Things went back to normal shortly after we switched merchant account providers, and our other fees went down too.

The second punch came this week. We got a compliance letter from the new provider. They are now charging us annually so they can check our compliance. And they will fine us monthly until we can prove we comply. How can you prove a negative? How are we supposed to prove we protect data we don't collect or store?

Oh well, so long credit card companies. I do truly appreciate your efforts to protect our privacy, really I do. But until you go about it in a sane manner, I can't be your customer any longer. Sniff... oh well, I don't need to pay you to get paid any more anyway.