Complaint Review: security metrics & first data - Internet Internet

All these guys do is spend their days scamming all the suffering small business owners who dont know any better.  Dont believe all of their hollow "security metrics scam" threats; chances are that your credit card company already has full PCI compliance which you are already paying for.     Our small business paid hard-earned money to these idiots for YEARS for DOING NOTHING.  

At my last renewal in 2021 they asked for aroud $750.00, which was an substantial increase from years before, so I did some looking around and found out the offer a REDUNDANT, UNNECESSARY SERVICE.   They should be ashamed of themselves as an Americans, and what they are doing to small businesses, but I'm sure they arent.  DONT PAY THEM A DIME.  

HERE IS THE NAME OF THE GUY WHO CALLED ME:  THEY USE MANY VARIATIONS OF TELEPHOEN NUMBERS USING THE UTAH 801 AREA CODE.

MICHAEL NUTTALL | HIPAA & PCI Accounts Manager

US: 801.995.6370 -- IS A SECURITY METRICS SCAM

PCI compliance, created and mandated by the Payment Card Industry (PCI), is indeed required of businesses that accept credit cards.  If you are a business owner and accept credit cards/numbers from customers then you are obligated by the Payment Card Industry to validate or have certified documentation verifying that you have the correct processing policies/procedures in place to be considered by the PCI as "PCI compliant".  If you wish to hear it from the PCI, visit: www.pcisecuritystandards.org.  You'll be educated on the standards of VISA, MC, AMEX, Discover, & JCB.

The confusion most people have comes from the standing SecurityMetrics and First Data have in getting merchants into the "compliant" category.  VISA, MC, AMEX, Discover, & JCB (who collectively make up the PCI) do require all businesses that accept credit cards to validate compliance but currently leave it up to merchant processing companies such as First Data (in this case) to enforce it.  Since First Data is not certified by the Payment Card Industry as an Authorized Scanning Vendor, as most processing companies aren't, they must recommend their merchants to use a company such as SecurityMetrics to validate that the merchant is following the standards set by the Payment Card Industry.

Sure, I personally am not fond of First Data myself.  Though to file a complaint against First Data and SecurityMetrics because they charge fees for PCI compliance can be very closely compared to filing a compliant against local government and Jiffy Lube for charging fees to have your vehicle registered and have your safety and emissions done.  If you wish to drive a car on the road you must be able to provide certified documentation that your vehicle is safe on the road and have it re-registered regularly.  I sustain this law 100% for the safety of myself and my family.

In this analogy First Data is like the local government.  They did not create the PCI compliance standards, but as the largest card procesing company in the US, they are highly obligated to enforce PCI compliance as they are expected by the Payment Card Industry.  In the same way, the local government also requires current vehicle registration due to the pressure put upon them by higher authority - the law.  First Data does charge fees to merchants who fail to validate compliance, but that is how First Data chooses to incentivise the requirement.  Granted, it is inconvenient but those fees are avoidable as long as merchants complete what they are required to complete.  You also avoid police issued citations for updating your registration on time.  Frankly the PCI process is very simple, so it is best not to procrastinate.

Poor SecurityMetrics (not a credit card processor) gets even more unfairly accused as they do not require PCI compliance, charge non-compliance fees, or publicize non-compliance.  They just help merchants get it done.  SecurityMetrics can be compared to your local Jiffy Lube.  Drivers are required by law to have a current registration sticker on their license plate in order to drive legally on the road.  Since Jiffy Lube is certified by the government to perform safety and emissions tests on your vehicle for you to pass you off do you gripe about them or slap their business name up on Rip Off Report for charging you for their services?  Of course not.  Also, when a vehicle fails an inspection they do not run to the local authority and tattle on the owner of the vehicle.  They simply do not issue the pass-off.  In the same way SecurityMetrics is a company (out of many) certified by the Payment Card Industry to pass off merchants who need to validate compliance.  If a merchant uses internet connected systems in order to process credit cards and requires quarterly vulnerability testing, for example, SecurityMetrics will scan that internet network and report back to the customer (NOT THE CARD PROCESSOR) what needs to be fixed (if anything).  They do charge for that service of course as any business should/would, but they do not run and tattle on a merchant with an insecure internet network or failing scan.  They simply assess the security of a business's processing methods and policies, and once that business is up to par with what the PCI requires they shoot a certificate to the processing company.  They also will not scan your internet connection if they do not get paid to do it.  So, if you do not want to be scanned don't give them your IP address and money.  And if a merchant is worried because their IP address keeps changing, either keep your ASV up to date with what it changes to or switch and get a static IP address.  I don't understand how the whole dynamic IP address thing was pegged on SecurityMetrics in the first place, but there you go.

I understand that PCI compliance validation is inconvenient and seemingly pointless to those who do not understand the requirement.  I didn't create it, but as a merchant I am also required to follow the necessary standards in order to get my business in compliance.  Fortunately I did compliance consulting for 5 years, so I understand the necessity.  The money trafficked these days through online hackers and credit card fraud has far surpassed the dollar amount trafficked via the buying and selling of narcotics.  It is crazy, really.  VISA, MC, AMEX, Discover and JCB created the PCI standards in order to protect businesses and customers from the biggest threat to the american economy - credit card fraud.  Hopefully from now on the 150 bucks or so that we have to pay each year to get it completed won't seem so absurd compared to the tens of thousands of dollars it could save us in the event of a comprmise.

Security Me Tricks ;-) can charge you tons of fees $120 per year (can be as high as $480) plus they will do hacks to your site without notifying the merchant first, so you may receive several hundreds of notification emails from your store that unaithorized access was attempted! And the IP addresses will point towards Security Metrics.

And what's worst that I never signed uup with them and they keep on emailing me even after the FirstData quit doing business with them. After I called SecurityMetrics and asked why they email me even if that FirstData no longer does business with them, they tolds me, yes, my account with them has expired and they will now remove me from their mailing list! After all those years I paid them $27 per mon th and $120 per year totaling in $456 per year! And I got nothing ihn return! I only got questionnaires and statements with impossible to unbderstand techie language and i was unable to meet any of those. Then several times I asked SecurityMetrics to explain some of those techie languages that I'm supposed to compliance with, but they responded they do not know what that is and that I must pay someone to explain them to me! Excuse me!? They are the ones charging FirstData and FirstData charging me in return and the stuff they write up they don't even kiw what it is and no help from them whatsoever other than hacking into my site and sending my "Egyptian language"? So I tried to get help explaining to me those techie languages that SecurityMetrics sent me, but I was told that PCI Compliance and the etchie lanbgfuage explanation to me will be charged to me a US$100,000, which is a price of my entire house! And I'm aonly making bnow about US$800 a month! Are they kidding? No wonder FirstData quit doing business with SecurityMetrics.

PCI compliance;
Well, as a business that uses First Data, I was told that I now will have to pay $139/yr to be pci certified.
Never had a chargeback, years with them, etc etc & blah, blah-doesn't matter.. they want the money.

They will charge because they can. As an innkeeper operating a B&B, I have found a card processor that caters to B&B's specifically and will now use them and guess what- no pci compliance fee and a flat 2.5% for non Amex. Should have left sooner!

Maybe you should truly get your facts straight. The people you talk to on the phone with first data's PCI compliance department, are not the scam artists. We are trained on what it is, and we help you. We don't have any say on prices or anything that is charged to the merchants. You should really understand what we do and not blame us for YOU not doing what your SUPPOSED to do. It is REQUIRED by the credit card companies and the government that you are COMPLIANT. If you're not and you ignore this, then you won't be able to take credit cards. If you don't believe it, then go call your credit card company and ASK THEM. You should really get your facts straight before you b*tch about it.

Do you know what PCI Compliance is? You have to have it. Security Metrics certifies it. VISA/MC/DISC require it. If YOU don't have what VISA requires somebodies going to be fined. Why not you?