I was just reading an article that apparently American Express is sending out letters to ALL merchants requiring $200-800 quarterly PCI compliance scans?

http://www.tamingthebeast.net/blog/ecommerce/pci-compliance-1006.htm

Is this true?? If so this is going to be a *huge* pain! Imagine having to have your site scanned 4 times a year (and having to pay 3rd party companies for it).

Before, PCI compliance scans were only required by companies processing over 20,000 transactions per year, but this article is saying that Amex will now require scans by companies in the 1-20,000 transactions range as well - in other words, ALL their merchants :-(

Anybody know if this is true?

As far as I know, Level 4 merchants only need to enter a registration through a Visa/MasterCard certified security assessor, which should be free of charge.
I can't imagine that Amex would now require something else and would actually require merchants to be certified and make such costs, which for small merchants can be an excessive amount.

If they do, they will loose lots of smaller merchants.

Anybody else have any info or confirmation on this?

Thanks

Have you looked at the requirements on Visa's website?

http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_merchants.html?it=l2|%2Fbusiness%2Faccepting_visa%2Fops_risk_management%2Fcisp%2Ehtml|Merchants

It states that all levels require scanning by an approved scannning vendor.

I think that there are more affordable solutions then the $200-$800 range you've listed. Have you checked out ScanAlert?

http://www.scanalert.com/

Some gateway providers, such as Valet Pay, can get you scanning services of ScanAlert for free. The reason ScanAlert offers the services for free to gateway customers is because they believe they can sell the merchant value added services such as "Hacker Safe". Check them out.