Teaming up with an acquiring bank (also referred to as an acquirer or merchant bank) is absolutely necessary.  Let’s face it, merchants need someone to convert the credit they accept into money and that is where the acquiring bank fits into the equation.  An acquirer is the financial institution that processes credit and debit card payments for a merchant.  In essence, the acquirer receives authorization requests from merchants and then forwards the request to the issuing entity (issuing entity is the financial institution that issued the card) for approval.  Thus, an acquirer provides authorization, clearing and settlement services to merchants.  In order to process payment cards, a business owner needs to establish a merchant account with an acquirer.

Not all merchants realize this, but a merchant account with an acquirer is really a line of credit and not a traditional bank account.  As a result, the acquiring bank accepts the risk of the merchant’s business.  This risk to the acquiring bank is even greater as the PCI Security Standards Council (PCI SSC) has placed a number of responsibilities on the acquirer for managing the credit card security of their merchant base.

Some of the basic responsibilities that fall to the acquirer include:

1. Maintain their own PCI compliance
2. Manage the compliance of their merchant base: When you partner up with an acquirer you will sign an operating agreement which states you must be PCI compliant at all times.
3. Determine which SAQ merchants should complete: When merchants are trying to decide which Self-Assessment Questionnaire to complete, the card brands have decided that the acquirer is responsible for providing direction and making the final decision for the merchant.
4. Monthly non-compliance fines: If an acquirer finds a merchant that is not meeting PCI compliance they can levy monthly fines or even pull the merchant’s privilege of accepting multiple forms of payment from their customers’ credit cards, debit cards and gift cards.
5. Pass down fines to merchants in breach scenarios: The credit card companies cannot fine the merchant directly, since their relationship is with the acquiring bank, not the merchant.  So, in a breach scenario, the fines are often passed on to the merchant from the acquirer in some form (direct fines, an increase in the per transaction fee or both). 

Does the PCI SSC enforce compliance?

No, the PCI Security Standards Council does not replace the individual brands’ compliance programs. The individual participating payment brands separately determine what entities must be compliant, including any brand-specific enforcement programs.  Based on the sheer volume of small merchants out there, the acquirers have been tasked with managing merchant compliance. That is, they ensure that their merchants are aware of PCI DSS compliance by tracking and mandating their compliance.

How do acquirers track merchant’s PCI compliance?

Acquirers track merchants’ PCI compliance through basic documentation.  Most merchants fall into a validation level that allows them to self-validate (in other words, document compliance on the honor system).  What many people forget is that PCI compliance is validated through a point in time, but you must adhere to compliance at ALL TIMES.

Typical PCI compliance documentation includes:

1. Annual Self-Assessment Questionnaire (SAQ) and Attestation of Compliance (AoC)
2. Quarterly Approved Scanning Vendor Vulnerability Scans – Attestation of Scan Compliance (AoSC)

Not all acquirers are proactive about requesting this documentation from their merchant base.  It does not matter whether it is because they have not built the systems to track compliance, do not have the personnel to manage it or just have not prioritized the project.  At the end of the day, even if your acquirer is not reaching out for your SAQ or passing ASV scans, it is still your responsibility, as a merchant, to document (validate) your PCI compliance.  Just because the acquirer is not asking for it today does not mean they will not ask for it tomorrow.  When (not if) they do ask you to prove your compliance you better be able to deliver.  The merchant agreement you signed outlines your full consent to be PCI compliant, and if you go back and read it you will find an entire section dedicated to just that.    There are legal repercussions if you, as a merchant, are not compliant.

To sum up this blog series,“Top 5 Things You Should Know About PCI Compliance,” whether we are talking about Wi-Fi, the firewall, scanning, the payment application or the acquirer, each business owner needs to prioritize information security and take critical steps to protect the business and the customers it serves.  Do not wait for the acquirer to tell you about PCI compliance. Do not rely solely on your POS vendor to handle your security. Do not ignore the results of your quarterly scans and let issues go unfixed.  Remember, the smaller the investment you make in your network security, the easier you make it for a hacker to exploit it.

Read the other Top 5 Things You Should Know About PCI Compliance Blogs:

Part 1: Wi-Fi
Part 2: The Firewall
Part 3: Vulnerability Scanning
Part 4: Payment Application
Part 5: Acquiring Bank (currently viewing)

Webinar

For more information, please view the recording of our Top 5 Things You Should Know About PCI Compliance webinar! Click here to view the webinar!