PCI Compliance – Why Merchants Need to Take It Seriously – Part 2
In Part I, I discussed the importance of PCI compliance, consequences of non-compliance and the effect of account termination on a merchant. Part II will discuss the basics of PCI compliance responsibility and how merchants can avoid fines and account termination. Who is Responsible for PCI Compliance?
In order to be PCI compliant, all acquirers, merchants and third parties using a card association’s payment system must not only abide by the PCI DSS requirements but also that association’s guidelines. For example, any organization using Visa’s payment system (i.e. any organization which receives, processes or passes Visa branded cardholder information) must abide by Visa’s International Operating Guidelines. Failure to comply can result in monetary fines and possible disqualification or merchant account termination.
Association compliance for merchants is based on levels of validation for each card association. Visa, MasterCard, and Discover each have four levels of validation for merchants. American Express has three levels and JCB has two levels. Each level is based on annual transaction volume with Level 1 being the highest. It is the responsibility of the merchant to check the criteria for each card brand it accepts and adhere to the validation requirements for the appropriate level in which it falls.
NOTE: MasterCard made some changes to their security program recently, whereby a merchant falls into a certain level based on its level with Visa. So, if a merchant processes over 6 million Visa transactions (Level 1), but only 2 milllion with MasterCard (Level 2), it would be a Level 1 merchant with both associations.
Non-Compliant Activities
So, what type of activity can result in a fine or merchant termination? Basically, two words – non-compliance. Credit card compliance covers PCI DSS and card association guidelines. Any activity violating those can result in fines, being put on MATCH or account termination.
Using Visa as an example again, per their operating guidelines, if Visa determines that a member, its agent, or a merchant has been deficient or negligent in securely maintaining the account or transaction information or reporting or investigating the loss of this information as specified in this section, Visa may fine the member, as specified in Section 1.6.D, or require the member to take immediate corrective action. Visa members are financial institutions who issue and maintain account information (i.e. acquirers).
“Repetitive violations can incur heavier fines, possible listing on MATCH or account termination.”
Visa’s operating guidelines define the reason for terminating a merchant account (aka, Revocation of Privileges):
Visa may permanently prohibit a Merchant, IPSP, or any other entity, or one of its principals, from participating in the Visa or Visa Electron Program for any reasons it deems appropriate, such as:
- Fraudulent activity
- Presenting Transaction Receipts that do not result from an act between the Cardholder and the Merchant (laundering)
- Activity that causes the Acquirer to repeatedly violate the Visa International Operating Regulations
- Activity that has resulted in a Regional Office prohibiting the Merchant from participating in the Visa or Visa Electron Program
- Any other activity that may result in undue economic hardship or damage to the goodwill of the Visa system
Similarly, MasterCard’s rules state that failure by a Merchant or Acquirer or both to comply with any Standard may result in chargebacks, an assessment to the Acquirer, and/or other disciplinary action.
Repetitive violations can incur heavier fines, possible listing on MATCH or account termination. Associations will also continue to levy fines if the merchant does not correct the action deemed as non-compliant. Any fines from the card associations related to merchant activities will be passed down to the merchants. If a merchant does not take correction action or neglects to pay the acquirer, the merchant account is at threat of being terminated and listed on MATCH.
Be Careful Using Third-Party Service Providers
Using third party vendors can certainly streamline your business operations and credit card sales. However, they can also hurt your business if they are not compliant with industry guidelines. Aside from any possible data breach, simply using a non-compliant vendor can result in fines from the associations as well. Third party service providers include payment gateway, web hosting, or backup storage services.
There are many reasons to use a PCI compliant vendor – aside from following PCI compliance guidelines, using a compliant vendor helps to protect your customer records, which should be the number one priority.
According to PCI guidelines, merchants are required to verify service provider compliance. The PCI DSS requirement 12.8 (outlined below) requires a merchant to “manage” any service providers:
12.8.1 Maintain a list of service providers.
12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.
12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.
12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status.
To assist with compliance on this level, the PCI SSC adopted the Payment Application Data Security Standard (PA-DSS), formerly managed by Visa as the Payment Application Best Practices (PABP), for software vendors or other companies who develop secure payment applications. A list of validated payment applications is available on the PCI SSC web site. Each payment application on the list is valid for one year, so application vendors and developers need to go through similar annual reviews and due diligence as required by the PCI DSS for organizations.
Additionally, card companies have put requirements into place regarding service provider compliance. Visa, for example, stipulates that issuers and acquirers must use, and are responsible for ensuring that their merchants use, service providers that are compliant with the PCI Data Security Standard (DSS). Although there may not be a direct contractual relationship between merchant service providers and acquirers, Visa issuers and acquirers are responsible for any liability that may occur as a result of non-compliance.
Service providers must register with Visa in order to be included on their list of PCI DSS-compliant service providers. Visa defines two levels (based on volume) of compliance for service providers. Visa defines service providers as TPAs (Third Party Agents), which are entities that provide payment-related services, directly or indirectly, to a Visa client and / or stores, processes or transmits Visa account numbers. TPAs include Independent Sales Organizations (ISOs), Third Party Servicers (TPSs), Encryption and Support Organizations (ESOs) and Merchant Servicers (MSs). TPAs must be registered in Visa’s Agent Registration Program, mandated by Visa to “ensure that Visa clients are in compliance with Visa Inc. Operating Regulations (“Visa rules”) and policies regarding their use of TPAs.” Only Visa clients (i.e. acquirers) can register TPAs and are thus responsible and liable for their TPAs. POS software providers that provide the payment application only and do not store, process and / or transmit Visa account numbers also need to adhere to the PA-DSS. Fines from Visa include $10,000 for using an unregistered TPA.
Under its SDP program, MasterCard also requires third party service providers to follow compliance guidelines. It defines service providers as a collective term for Third Party Processors (TPPs) and Data Storage Entities (DSEs). It also defines two service provider levels for compliance.
PCI compliance for service providers includes onsite assessments, self-assessment questionnaires, and network security scanning. Summed up by MasterCard, the compliance process for its service providers is a 3 step process:
- Review the relevant PCI documentation, validation tools and procedures
- Engage an approved vendor, as appropriate, and follow the validation procedures
- Once compliant, work with a qualified security assessor to send a Certificate of Validation to MasterCard
In all cases with service provider compliance, PCI SSC Qualified Security Assessors and Approved Scanning Vendors must be used. For a merchant to ensure complete compliance across the board, it is necessary for its service provider(s) to be on all relevant compliance lists.
View Visa’s current list (as of March 6) of PCI DSS Validated Service Providers here.
View MasterCard’s list of compliant service providers here.
Using a third-party vendor or company in the processing of credit cards does not exclude a merchant from PCI compliance responsibility. The merchant is still responsible for data security and abiding by PCI compliance rules and the operating guidelines of the card brands. Issuers and acquirers are also responsible for any liability that may occur as a result of non-compliance.
How Merchants Can Avoid Fines and Account Termination
Before account termination or being put on MATCH, a merchant may be warned and fined for non-compliance for risky activities, such as excessive chargeback ratios or not following PCI DSS. That is a warning which should not be taken lightly by any merchant. Corrections for any non-compliance should be fixed immediately. If a data breach has occurred, it is the merchant’s responsibility to report it as soon as it is discovered.
Using a third-party vendor or company in the processing of credit cards does not exclude a merchant from PCI compliance responsibility. The merchant is still responsible for data security and abiding by PCI compliance rules and the operating guidelines of the card brands. Merchants are responsible for reading and understanding the card association guidelines in their entirety for each card type they accept. Merchants should also use a payment processor who explains compliance and helps avoid fines by keeping an eye on chargeback ratios and understanding their third-party vendors. Of all the parties (with the exception of the customer) involved the payment transaction process, the merchant is the one who loses out the most if data security is compromised or the merchant account is terminated. Merchants can prioritize compliance by assigning a security officer – or other responsible party – to ensure that all necessary compliance requirements are being met. This includes making sure service providers are consistently compliant as well.
- Reference documents
- Card association operating guidelines
- MasterCard
- Visa
- American Express
- Guidelines for Discover and JCB are not available online. Merchants can obtain them from the card associations directly.
- Card association requirements for merchant compliance
- Visa Cardholder Information Security Program for Merchants
- MasterCard Merchant Requirements
- Discover Information & Security Compliance
- American Express JCB Data Security Program