iPayment IncPCI Fraud

Review updated:

They pulled our PCI compliance certificate a month early then charged us for being non-compliant plus charging us for a nother year for PCI compliance. We faxed all our company certificates from McAfee that we hired to get our PCI compliance back yet they refuse to refund our money.

We filed a complaint with the BBB and they promised our fees back but they still have not honored that.

Nashville, TN BBB

BBB CASE#: [protected]

DO NOT USE THEM -- they are thieves.
We got them through Advanced Merchant Group,, who is just as scammy as iPayment Inc is.

iPayment Inc

Sort by: UpDate | Rating


  • Me
      Jan 08, 2011

    We have just received an email from Barclaycard merchant services and in it they ask me to be PCI compliant, ok that's fine, now in this email they give me three web links, one is to which when you get there and identify your business environment you can download a document that has 20 pages, that is the B form, now when you look at this form (i am an IT person, and have been, for 35 years, yes there were computers then) the document relates to nearly every business on the planet, the site itself has a HTTPS and it shows a GREEN "SAFETY STRIP" but the site does not collect any data, when i looked at the document and found that it was user Unfriendly, lots of questions not relating to my setup as a card accepter, i was forced to go back to the original email and follow the other link, when i went there, i had to register and was asked to pay £11.97 this is a discounted price for BCMS customers, when i read the terms and conditions, it stated that basically they were not responsible for anything that i told them???, so when i called them and asked what they did, they said that the form i filled in online was sent to BCMS, my question is why are BCMS asking me to give an undertaking to a third party that does not warrant the information, and why do i have to pay for the privilege, Barclays say that this company are APPROVED and if i did not conform to this then i could get a MASSIVE FINE from a card company, i only transact cards from a machine that is connected to the telephone line directly and the receipts that we keep are put into a secure till along with all the money that we take in the course of a day, and are then put in a locked device in a locked and secure office. my question is why when i signed a document in the first place on applying to get a terminal, it stated in legal garb that i would be totally diligent at storing any details of customers securely, which is what we do, can anybody see why the VISA's of this world are asking BCMS to get me to comply to this, when BCMS should have been making sure that i was secure, this form has to be submitted each year, and presumably the full fee would be payable, about £80, this directive has been in existence since 2004 ish so why do the banks now ask for this fee to be paid, and why do the banks not ask me directly what i do to comply, i put this to BCMS and their answer is that they are not able to process the data as they are not PCI DSS approved people, PCI DSS accreditation takes and individual less than a week to pass the course, are we being ripped off, or do they honestly think that they are not able to administer a simple form, i think the former, barclay card are being very coy about their answer, s as i have had a number of calls to and from them, and it has got to a higher level, has anybody else had this email.

    0 Votes
  • Sc
      Jan 08, 2011

    I think you are confused...

    Your processing merchant, BCMS, is correct - they are not a PCI/QSA vendor so they can not warranty your card processing security. Only a QSA vendor can. You can see all the Qualified Security Assessor’s that are approved by Visa and MasterCard vendors at

    The Visa site also has the list that they have approved -- basically if Visa/MC has not approved them they are NOT a PCI approved. See

    0 Votes
  • Ve
      Sep 17, 2012

    I to am a First Data customer and also a customer through Security Metrics as part of my agreement with First Data. I believe something is allegedly a miss with Security Metrics. Let me explain-

    A few weeks ago I had Security Metrics run a scan on both my IP and website address. The IP scan came out fine, the website returned a failing grade (all in all I ran 4 scans and all came back failing). I gathered all of the information and took it to my site provider in hopes of fixing the issue.

    The site provider told me that Security Metrics scan is coming back with false positives and that Prostores, my site provider is in fact PCI complaint. Prostores then gave me the information that proved that my site provider is complaint. I have included the email from my site provider below.

    Thank you for contacting ProStores Technical Support. This issue, "PCI Compliance errors - Security Metrics", has been marked as resolved based on the following steps:

    ProStores is PCI compliant.

    ProStores uses code that can cause false positives such as the ProStores SSML code, etc.

    ProStores PCI Compliance
    ProStores data center facilities have been inspected and passed the on-site assessment for PCI DSS compliance and the following scan summary performed by a Visa-approved PCI scanning vendor verifies that the ProStores application and hosting environment are PCI compliant.

    PCI DSS Certification
    No Unresolved Vulnerabilities
    Scanning Vendor: Alert Logic
    Customer: ProStores
    Scanned Date: July 31, 2012 4:30 PM
    Scan Expiration Date: October 31, 2012
    Status: Compliant - Pass

    I then received my monthly invoice from First Data and found a link to another PCI company and registered for the service (I was skeptical of Security Metric and was thinking of getting a second opinion anyway). To my surprise another company PCI Rapid Comply ran the same scan of both my IP and website and round that my site WAS COMPLAINT.

    I have since wrote to Security Metrics with my findings and informed them I was going to look into having them investigated and have not had any response as of yet.

    0 Votes

Post your comment