Sep 1 2010
PCI Rules and Regs…”Who can make me comply with the PCI DSS?”
Posted by chris.mark
Data Security, PCI DSS, Regulations and Laws
No Comments
In my role at ProPay I have opportunities to speak with numerous merchants, and 3rd party service providers about their PCI DSS compliance status and provide information on how to comply. Recently, a disturbing trend has been arising with some 3rd party service providers. When speaking with service providers about the need for them (the 3rd party) to comply with the PCI DSS to support their clients (ProPay merchants) I have heard more than one threaten that they would simply recommend that the merchant “move to another gateway that wont make them comply.” While this indifference to the card brand rules is certainly disturbing, the statement does not make sense. I want to take this opportunity to differentiate between the various parties and identify which organizations are responsible for enforcing compliance.
Card Brands- Visa, MasterCard, American Express, Discover, JCB. Card brands manage the ‘interchange networks’ and enforce operating regulation on their members (outdated term but brevity precludes a more detailed discussion). The card brands can only enforce compliance with the operating regulations on their banking members.
Acquirer- An organization that issued a MID to a merchant. Acquirers can be either banks, or independent sales organizations, which are more commonly called ISOs.Merchants- These are organizations that have been issued a Merchant ID (MID) by an acquirer which can be either a bank, which is part of a card brand network, or a bank’s agent. These agents are commonly known as ISOs. ProPay is an agent of a bank. Merchants are required to comply with the card brand (Visa, MasterCard, etc.) rules by the card brands. Acquirers will enforce compliance with the card brand rules on the merchants. Since acquirers underwrite the merchant accounts, they have liability for the merchants.
Merchant- A merchant is an organization that has been authorized to accept payment cards in exchange for goods or services. Authorization to accept these cards is through the issuance of a Merchant ID, more commonly known as a MID. The merchant contract requires that the merchant agree to abide by all applicable card brand operating regulations. The lightbulb should be going off now!
Processor- A processor is an organization that can accept payment card transactions for authorization or settlement. There are a number of other functions provided by processors but it is easiest to think of processors as the links into the card brand networks. All data flows into the interchanges through processors.
Gateway- Gateways are organizations that receive transaction data from merchants and forward to processors for subsequent processing. Often gateways will provide fraud reporting and other services.
It is important to understand the main stakeholders in the transaction process. A merchant will have their account underwritten by an acquirer. This acquirer may or may not be a bank or an ISO. This acquirer is ultimately responsible for the merchant’s compliance with the card brand rules. Compliance with the PCI DSS is a card brand operating regulation. If a merchant refuses to comply, the card brands can penalize the acquiring bank, who in turn will likely pass on the penalty to the agent (if using an agent) and the agent will likely pass on to the merchant. The gateway and/or processor has no role in enforcing compliance with the PCI DSS.
Those companies that mistakenly believe that they can skirt PCI DSS compliance by switching gateways and processors are missing the point. Unless they were to find an acquirer that was willing to thumb their nose at the card brand rules (very, very unlikely) the merchant would have the same obligation to comply with the operating regulations.
Remember, as a merchant you have agreed to abide by the card brand operating regulations. These regulations include compliance with the PCI DSS as well as a number of other rules. Your merchant acquirer is responsible for complying with the rules as well. One of the rules that acquirers must comply with is the rule that says: “all banks and their merchants will comply with the PCI DSS.”
When using a third party, it is important that you use only those 3rd parties that have validated compliance and are registered in accordance with the card brand operating regulations. More information can be found in the previous blog post; Using a 3rd Party Service Provider? Know the PCI DSS Rules!
Chris Mark; EVP; Data Security & Compliance
No Responses to “ PCI Rules and Regs…”Who can make me comply with the PCI DSS?” ”