This may be the most boring blog post you read all week. Just giving you fair warning. But it illustrates the tightrope we walk nearly every day when it comes to keeping our expenses down so we can offer our services to you at rates that are as low as possible. For us, the hardest costs to control are those that are deeply hidden or embedded in our work processes.
We all have business costs. No one can offer a service without incurring expenses. Some are obvious and are things that nonprofit agencies like MCLS and libraries share. Things like salaries and benefits of staff members, the computers we purchase for staff and patrons, furniture, building expenses, and lawn mowing and snow removal. Then there are many costs of doing business that are hidden and not apparent unless you stop to think about them. Included here may be elevator inspections, maintenance contracts, and….credit card fees.
Most consumers probably don’t think about the fact that every time they use a credit card, the merchant pays a fee, usually to a bank. These interchange fees amount to about $48 billion a year. Ouch. MCLS’s portion of that is pretty darn small, but for us not insignificant. So far we’ve been able to cover the costs of taking credit cards without a negative impact to you, but the last few weeks have brought another problem and a different hidden cost related to credit cards.
First, a little explanation about how it works when we accept your credit card number to pay for a service. You type in the number on your keyboard, and it zips from your keyboard to a server in our building where it remains for a fraction of a second before heading off to our credit card service company. Eventually it finds its way to the bank that issued you the credit card and appears as charge on your next bill.
Because we are a link in the transmission of that credit card number, we are subject to something called the Payment Card Industry Data Security Standard. The PCI standard was created to make sure that merchants use adequate safeguards when they process credit charge transactions – after all everyone wants to be safe when using credit cards. PCI compliance can be validated in several ways, depending on the size of the organization and how much business is transacted through credit cards. Big companies must hire an independent assessor to audit their procedures and security levels. Since MCLS falls on the low end of the spectrum, we can demonstrate our compliance through a Self-Assessment Questionnaire and a quarterly security scan of our systems. Our problem is that even this fairly low level of compliance reporting is onerous and is likely to require us to hire an outside consultant to complete it. Through the monitoring process, we may discover that one or more of our processes or systems is inadequate and requires an upgrade. These upgrades and changes create more hidden costs and all because credit card numbers land in our system for less than a second.
We know the genie is out of the credit card bottle. We cannot stop accepting credit cards; many, many libraries now routinely use credit cards to pay for training workshops, security strips, even database and ejournal subscriptions. We want to be compliant so that your financial data is safe. But we also know that raising prices to cover these costs is a non-starter.
We really don’t have many options. We can continue doing business the way we have and try find ways to cover the additional costs, or we can outsource our credit card processing to a company like PayPal. We’ll conduct our investigation during the next few weeks and maybe come up with other solutions. We hope to make a decision about the best way to go later this year.
