North American Bancard North American Bancard, PCI Compliance Trouble, Possible Scam/Fraud/Deceptive Practice - Credit Card Processing Services Troy Michigan

I have tried contacting North American Bancard recently, but try and try they seem so swamped.. you are on hold for a LONG TIME! Must be all the phone calls they are getting about the PCI charge.

We sent them our PCI compliance paperwork, yet they will not honor this saying its not valid. Back and forth back and forth, and every time their story changes.

Their latest statment gives a link to where you can file the report, but what they fail to mention is you can file the self-assesment for FREE!!! See for yourself here:
https://www.pcisecuritystandards.org/saq/index.shtml
And note that is the OFFICIAL site of the PCI council.

We have done so and they say, sorry, you should have done it before November. But they told us so in DECEMBER!

A sad, sorry way for a big company to be taking advantage of small merchants. Charging for a service that they can get for free, there really is no service anyway if all you have to do is sign a form. Stay far far away from North American Bancard!

Regards,
Merchant

We apologize if anyone feels our attempt to educate readers on the particulars of PCI was not specific enough. Unfortunately, without knowing the particular merchant account in question we are unable to respond with specific information.

Please note, however, that our response does indicate that if the merchant is processing with a dial up terminal a scan is not necessary, however, a Self Assessment Questionnaire is. The original response stated: Our retail merchants (those that do not process credit card transactions online, with software, and are not considered e-commerce) will need to go to the website www.NABPCI.com and complete the Self Assessment Questionnaire. Upon completion, they will need to fax a copy of the completed Questionnaire to our Customer Service department at (248) 283-6260 for validation. As stated it is only our E-Commerce merchants that are also required to perform a scan.

North American Bancard

That reply from NAB makes it pretty clear to me why the OP is frustrated. The responder takes a clear cut issue and proceeds to make a rambling, semi-coherent response.

Bottom line is that a simple dial up terminal with no other external connections needs just the self-certification that the OP mentioned. NAB customer service repeatedly insisting on a scan makes it obvious that they have no idea what a scan is. It is also seeming obvious to me that this NAB rep is going out of his way to confuse the issue in order to justify their ridiculous charge for security compliance. This is not rocket science (but they want to make it seem as though it is).

North American Bancard works very diligently to resolve all merchant issues and complaints. Since our inception in 1992, we have worked with over 125,000 merchants of all sizes and levels of complexity. We provide a high level of service and support to our merchants, as is evidenced by the low number of complaints we handle. Occasionally we, like any other large company, may make a mistake or mishandle an issue. When these are brought to our attention we resolve them to the best of our ability. Our 250+ employees work hard every day to make doing business with NAB a pleasure for our merchants and stakeholders, all we ask is the opportunity to recover well.

North American Bancard values the business of all of our merchants and we do not take complaints lightly. In an effort to address your many concerns and provide you with some very pertinent information specific to the PCI compliance mandate, we have compiled the information below for your review. Please keep in mind that your individual concerns regarding your friend's account can only be addressed by making some general assumptions since specific account information and the business name were not provided for accurate research.

There are numerous organizations and groups that cater solely to the Small Business Merchant, such as the National Federation of Independent Business (NFIB), who have taken an active role in informing Small Businesses such as your friend's on the requirements and importance of being PCI compliant.

The PCI Data Security Standard (PCI DSS) originally began as five different programs from the five credit card schemes (Visa, MasterCard, American Express, Discover, and JCB). Each company's intentions were roughly similar: to create an additional level of protection for consumers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data.

The Payment Card Industry Security Standards Council (PCI SSC) was formed as a neutral body to address conflicts among the credit card schemes in developing a standard. On Dec. 15, 2004 the credit card associations aligned their individual policies and issued the Payment Card Industry Data Security Standard (PCI DSS).

North American Bancard values the business of all of our merchants and we take pride in keeping all of our merchants informed and up to date. We ensure that our company information is easily accessible for our merchants and continue to strive to be an industry leader and innovator in the credit card processing industry. It is because of that that we are taking a proactive role in ensuring all of our merchants meet the PCI compliancy requirements. All entities involved in the collection, processing, and storage of credit card information, regardless of size or affiliation must be compliant. It is an industry mandate imposed on all service providers and merchants that accept credit cards.

We notified our merchants of this mandate and the one time $79 fee on their November 2008 statement. They were advised that the $79 fee provided them with access to the tools that can help them achieve and maintain compliance. We have also advised our merchants that the fee was not imposed on them from McAfee nor does it cover the cost of software. It is the fee assessed to all of our merchants to mitigate the costs associated with becoming compliant and maintaining compliance, updating terminal software nationwide (including enhanced protocols for protection of cardholder data passed by the Fair and Accurate Credit Transaction Act (FACTA) mandating how card numbers and expiration dates must appear on receipts), providing applications with enhanced security, and replacing non-compliant hardware.

You posed a question in reference to the differences in regulations for merchants of different sizes and sales volume. There definitely are differences in what is required for each merchant type, but it is not solely based on their size or sales volume, it also takes into consideration what they use to process (software, telephone, terminal etc.). Although your friend's grocery store may seem small in comparison to a big box retailer, such as Sears as you stated, both companies are at risk for security breaches if they are not in compliance. The PCI compliance mandate not only pertains to how you process credit cards, but also how you store and transmit that credit card information. For example, let's say all of your terminals and/or software are PCI compliant, but you use some sort of offline accounting system or you store all of your cardholder information on a laptop. The laptop is later stolen, therefore allowing unintended access to all that cardholder information. You have now encountered a security breach that could have been avoidable, and you are now potentially at risk for serious fines, penalties, and/or lawsuits. Hopefully, your friend would not make this careless mistake, but there are thousands of merchants big and small that have. If there was not a problem, this industry wide mandate would not be necessary. There are many merchants big and small who value these services, and need them both to ensure their business practices are within guidelines and to avoid being penalized. This is only one example, and there are many more of which the PCI council can advise you. Please keep in mind that we do not work for the PCI council, nor are we on its board or have membership in its organization, but we, like our merchants, must be in compliance.

North American Bancard partnered with McAfee, a leader in the security risk management industry, in late 2008, to give our merchants full access to McAfee PCI Compliance Service at no additional charge. There are only a few steps our merchants need to complete to determine if they are in compliance. Our retail merchants (those that do not process credit card transactions online, with software, and are not considered e-commerce) will need to go to the website www.NABPCI.com and complete the Self Assessment Questionnaire. Upon completion, they will need to fax a copy of the completed Questionnaire to our Customer Service department at (248) 283-6260 for validation. Our E-Commerce merchants (those that are processing via the Internet, with software, and/or online) will also need to go the website and complete the Self Assessment Questionnaire, in addition to utilizing the Scan Tool. Upon completion of the Scan Tool, the E-Commerce merchants will receive a compliance Certificate if they are in compliance. This certificate is good for 12 months and they will also need to fax it to our Customer Service Department for validation at the number stated above.

Please note that some terminals are capable of processing credit card transactions online (IP) and via dial-up. Merchants with these terminals would be required to complete the Scan Tool regardless of how they process to ensure the device itself is compliant. In regards to your concern pertaining to the network scan, without the account number or business name we are unable to identify your friend's specific account, and therefore have no way of accurately identifying which type of equipment they have or if the information they were provided with was inaccurate.

In conclusion, all merchants, whether small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirements for organizations that process, store or transmit payment cardholder data. The PCI Security Standards Council (PCI SSC) is responsible for managing the security standards, while each individual payment brand is responsible for managing and enforcing compliance with these standards. For questions regarding compliance validation requirements and deadlines as well as compliance reporting requirements, please advise your friend to contact North American Bancard's Customer Service Department at (1800) 226-2273 extension 1300. In regards to refunding the one time only fee of $79, we will do so if the merchant became compliant prior to our notification in November 2008. For more information regarding the PCI security standards, please refer to their website h(((Redacted))) To see the current list of PCI DSS Compliant Service Providers (including North American Bancard) see the below link or visit Visa's website. (((Redacted)))
Sincerely,


CLICK here to see why Rip-off Report, as a matter of policy, deleted either a phone number, link or e-mail address from this Report.
North American Bancard

To add fuel to the fire ....NAB is paying or compensating their Merchant Reps/
Agents 10% of the $ 79.00 PCI fee. This for their time and trouble incurred to guide their merchants on how to complete the compliance.

Total Merchant Services is compensating their Partners/Agents 5% of their $69.00 PCI. This calculates to a whopping $3.45 per MID or merchant account number. However, they are also willing to divide the fee into payments for up to 12 months.

First Data Alliance Banks i.e. Chase, Suntrust, Huntington, sent out notices to their merchants announcing they will charged the PCI of as much as $139.95 on Jan 1st 2009 if the merchant was processing as of Dec 14th 2009.

Elavon ( formerly NOVA ) has the best PCI program so far. They initially contacted merchants using 3rd party software, web hosting companies, or gateways. Not the small merchant using a credit card terminal.