• Report: #828532

Complaint Review: security metrics & first data

  • Submitted: Wed, January 25, 2012
  • Updated: Mon, November 26, 2012

  • Reported By: securitymetrics&firstdata — Nevada United States of America
security metrics & first data
4000 coral ridge drive Internet United States of America

security metrics & first data security metrics scam first data bad dishonest review Internet, Internet

*Consumer Comment: Perspective From A PCI Expert

*Consumer Comment: SecurityMetrics is Unfair Enterprise

*Consumer Comment: Follow the money

*UPDATE Employee: Just Listen

*UPDATE Employee: Quick Word

What's this?
What's this?
What's this?
Is this
Ripoff Report
About you?
Ripoff Report
A business' first
line of defense
on the Internet.
If your business is
willing to make a
commitment to
customer satisfaction
Click here now..

Does your business have a bad reputation?
Fix it the right way.
Corporate Advocacy Program™

SEO Reputation Management at its best!

Let it be known that security metrics and first data run a under-handed scheme. let me explain... first data (a credit card processor) requires you be pci compliant otherwise they charge you a $25 a month fee. first data relys on securitymetrics.com to inform them when you are not complaint and then the fee hits your account. so in our case one of security metrics methods to make sure you are pci compliant is to scan your ip address monthly and in our case we have an dynamic ip address through at&t so it changes quite often. security metrics scans the ip we had several weeks ago that no longer applies to us and returns a negative result, reports it to first data and they in turn charge us the $25 month fee. we call first data and ask them to remove the fee (only after spotting it on monthly statement) and they say we will put in a request to have it credited but we can only credit one fee per 12 months. by the time you get your statement from first data you are already into the next billing cycle so sure enough you get hit with the fee again by them.

the process goes on and on and they continue to charge. securitymetrics has an option to let email you when you are not pci compliant which by the time you receive it and fix it (or in our case call them and tell them our ip address to the dsl at our office is dynamic please update it to....) it's too late and they already have reported to first data you are non complaint. the whole thing is a under-handed way to charge you $25 per month. we urge you to STAY AWAY FROM securitymetrics and first data! they will bilk you with fees such as this and many others.

This report was posted on Ripoff Report on 01/25/2012 02:59 PM and is a permanent record located here: http://www.ripoffreport.com/r/security-metrics-first-data/internet/security-metrics-first-data-security-metrics-scam-first-data-bad-dishonest-review-Inter-828532. The posting time indicated is Arizona local time. Arizona does not observe daylight savings so the post time may be Mountain or Pacific depending on the time of year.

Ripoff Report has an exclusive license to this report. It may not be copied without the written permission of Ripoff Report.

Click Here to read other Ripoff Reports on security metrics & first data

Search for additional reports

If you would like to see more Rip-off Reports on this company/individual, search here:

Search Tips
Report & Rebuttal
Respond to this report!
What's this?
Also a victim?
What's this?
Repair Your Reputation!
What's this?
0Author 5Consumer 0Employee/Owner
Updates & Rebuttals

#1 Consumer Comment

Perspective From A PCI Expert

AUTHOR: Devon E - ()

PCI compliance, created and mandated by the Payment Card Industry (PCI), is indeed required of businesses that accept credit cards.  If you are a business owner and accept credit cards/numbers from customers then you are obligated by the Payment Card Industry to validate or have certified documentation verifying that you have the correct processing policies/procedures in place to be considered by the PCI as "PCI compliant".  If you wish to hear it from the PCI, visit: www.pcisecuritystandards.org.  You'll be educated on the standards of VISA, MC, AMEX, Discover, & JCB.

The confusion most people have comes from the standing SecurityMetrics and First Data have in getting merchants into the "compliant" category.  VISA, MC, AMEX, Discover, & JCB (who collectively make up the PCI) do require all businesses that accept credit cards to validate compliance but currently leave it up to merchant processing companies such as First Data (in this case) to enforce it.  Since First Data is not certified by the Payment Card Industry as an Authorized Scanning Vendor, as most processing companies aren't, they must recommend their merchants to use a company such as SecurityMetrics to validate that the merchant is following the standards set by the Payment Card Industry.

Sure, I personally am not fond of First Data myself.  Though to file a complaint against First Data and SecurityMetrics because they charge fees for PCI compliance can be very closely compared to filing a compliant against local government and Jiffy Lube for charging fees to have your vehicle registered and have your safety and emissions done.  If you wish to drive a car on the road you must be able to provide certified documentation that your vehicle is safe on the road and have it re-registered regularly.  I sustain this law 100% for the safety of myself and my family.

In this analogy First Data is like the local government.  They did not create the PCI compliance standards, but as the largest card procesing company in the US, they are highly obligated to enforce PCI compliance as they are expected by the Payment Card Industry.  In the same way, the local government also requires current vehicle registration due to the pressure put upon them by higher authority - the law.  First Data does charge fees to merchants who fail to validate compliance, but that is how First Data chooses to incentivise the requirement.  Granted, it is inconvenient but those fees are avoidable as long as merchants complete what they are required to complete.  You also avoid police issued citations for updating your registration on time.  Frankly the PCI process is very simple, so it is best not to procrastinate.

Poor SecurityMetrics (not a credit card processor) gets even more unfairly accused as they do not require PCI compliance, charge non-compliance fees, or publicize non-compliance.  They just help merchants get it done.  SecurityMetrics can be compared to your local Jiffy Lube.  Drivers are required by law to have a current registration sticker on their license plate in order to drive legally on the road.  Since Jiffy Lube is certified by the government to perform safety and emissions tests on your vehicle for you to pass you off do you gripe about them or slap their business name up on Rip Off Report for charging you for their services?  Of course not.  Also, when a vehicle fails an inspection they do not run to the local authority and tattle on the owner of the vehicle.  They simply do not issue the pass-off.  In the same way SecurityMetrics is a company (out of many) certified by the Payment Card Industry to pass off merchants who need to validate compliance.  If a merchant uses internet connected systems in order to process credit cards and requires quarterly vulnerability testing, for example, SecurityMetrics will scan that internet network and report back to the customer (NOT THE CARD PROCESSOR) what needs to be fixed (if anything).  They do charge for that service of course as any business should/would, but they do not run and tattle on a merchant with an insecure internet network or failing scan.  They simply assess the security of a business's processing methods and policies, and once that business is up to par with what the PCI requires they shoot a certificate to the processing company.  They also will not scan your internet connection if they do not get paid to do it.  So, if you do not want to be scanned don't give them your IP address and money.  And if a merchant is worried because their IP address keeps changing, either keep your ASV up to date with what it changes to or switch and get a static IP address.  I don't understand how the whole dynamic IP address thing was pegged on SecurityMetrics in the first place, but there you go.

I understand that PCI compliance validation is inconvenient and seemingly pointless to those who do not understand the requirement.  I didn't create it, but as a merchant I am also required to follow the necessary standards in order to get my business in compliance.  Fortunately I did compliance consulting for 5 years, so I understand the necessity.  The money trafficked these days through online hackers and credit card fraud has far surpassed the dollar amount trafficked via the buying and selling of narcotics.  It is crazy, really.  VISA, MC, AMEX, Discover and JCB created the PCI standards in order to protect businesses and customers from the biggest threat to the american economy - credit card fraud.  Hopefully from now on the 150 bucks or so that we have to pay each year to get it completed won't seem so absurd compared to the tens of thousands of dollars it could save us in the event of a comprmise.

Respond to this report!
What's this?

#2 Consumer Comment

SecurityMetrics is Unfair Enterprise

AUTHOR: Reviewer - ()

Security Me Tricks ;-) can charge you tons of fees $120 per year (can be as high as $480) plus they will do hacks to your site without notifying the merchant first, so you may receive several hundreds of notification emails from your store that unaithorized access was attempted! And the IP addresses will point towards Security Metrics.

And what's worst that I never signed uup with them and they keep on emailing me even after the FirstData quit doing business with them. After I called SecurityMetrics and asked why they email me even if that FirstData no longer does business with them, they tolds me, yes, my account with them has expired and they will now remove me from their mailing list! After all those years I paid them $27 per mon th and $120 per year totaling in $456 per year! And I got nothing ihn return! I only got questionnaires and statements with impossible to unbderstand techie language and i was unable to meet any of those. Then several times I asked SecurityMetrics to explain some of those techie languages that I'm supposed to compliance with, but they responded they do not know what that is and that I must pay someone to explain them to me! Excuse me!? They are the ones charging FirstData and FirstData charging me in return and the stuff they write up they don't even kiw what it is and no help from them whatsoever other than hacking into my site and sending my "Egyptian language"? So I tried to get help explaining to me those techie languages that SecurityMetrics sent me, but I was told that PCI Compliance and the etchie lanbgfuage explanation to me will be charged to me a US$100,000, which is a price of my entire house! And I'm aonly making bnow about US$800 a month! Are they kidding? No wonder FirstData quit doing business with SecurityMetrics.

Respond to this report!
What's this?

#3 Consumer Comment

Follow the money

AUTHOR: tipper - ()

PCI compliance;
Well, as a business that uses First Data, I was told that I now will have to pay $139/yr to be pci certified.
Never had a chargeback, years with them, etc etc & blah, blah-doesn't matter.. they want the money.

They will charge because they can. As an innkeeper operating a B&B, I have found a card processor that caters to B&B's specifically and will now use them and guess what- no pci compliance fee and a flat 2.5% for non Amex. Should have left sooner!
Respond to this report!
What's this?

#4 UPDATE Employee

Just Listen

AUTHOR: a.b7756 - (United States of America)

Maybe you should truly get your facts straight. The people you talk to on the phone with first data's PCI compliance department, are not the scam artists. We are trained on what it is, and we help you. We don't have any say on prices or anything that is charged to the merchants. You should really understand what we do and not blame us for YOU not doing what your SUPPOSED to do. It is REQUIRED by the credit card companies and the government that you are COMPLIANT. If you're not and you ignore this, then you won't be able to take credit cards. If you don't believe it, then go call your credit card company and ASK THEM. You should really get your facts straight before you b*tch about it.
Respond to this report!
What's this?

#5 UPDATE Employee

Quick Word

AUTHOR: MysticSage22 - (United States of America)

Do you know what PCI Compliance is? You have to have it. Security Metrics certifies it. VISA/MC/DISC require it. If YOU don't have what VISA requires somebodies going to be fined. Why not you?
Respond to this report!
What's this?
Report & Rebuttal
Respond to this report!
What's this?
Also a victim?
What's this?
Repair Your Reputation!
What's this?