Do Payment Facilitators Have to Be PCI Compliant?

Data security is a critical component of the work that payment facilitators do. Proper management of sensitive data is an essential responsibility for anyone enabling access to the payments system. So every payment facilitator needs to understand the role that PCI compliance plays in their overall risk management efforts.

The Payment Card Industry Data Security Standard (PCI DSS) is a payments industry standard that protects cardholder data. Commonly referred to simply as PCI, the standard provides guidance for how businesses involved with processing that data must secure it.

The PCI standard applies to the merchants, financial institutions, and payment providers that handle the data, as well as to the vendors and developers who create payment products and applications. It provides direction about the people, the systems and the technology associated with processing payments data.

The standard is maintained by the PCI Security Standards Council, a global organization that was founded by card networks American Express, Discover, JCB International, Mastercard and Visa, which now govern its work.

What is required of PFs?

Like any other entities involved in processing payments, payment facilitators must comply with the security standard, and they must validate their compliance. The card networks incorporate the standards into their own technical requirements and, along with acquiring banks, they enforce compliance with the standard.

The PCI Security Standards Council (SSC) describes compliance as a three-step process. First, organizations identify the systems and technology used for payment processing – also known as “scoping” – and determine where any vulnerabilities lie.

Second, they shore up their security according to the requirements where they’re vulnerable and, if possible, eliminate any storage of cardholder data. And third, they submit reports to their acquiring banks and / or card networks as required, demonstrating that they’ve taken the steps necessary to comply.

According to Chris Bucolo, SVP of market strategy for ControlScan, payment facilitators may validate their compliance in one of two ways, depending on the requirements from their acquiring bank. They may be able to use self-assessment, known as a Level 2. Or they may participate in an assessment led by a qualified security firm called a Qualified Security Assessor (QSA). This is also known as a Level 1 assessment. The PCI SSC provides a list of QSAs on its web site.

Self-assessment allows the business to complete a questionnaire and compile its own documentation. For a Level 1 assessment, the QSA participates in the assessment process and signs off on the results. Either path culminates in an Attestation of Compliance – a form on which the organization attests to the results of its compliance efforts.

“There are a few acquirers/processors that may allow for a self-assessment path for a start-up and/or if they perceive their PCI related risk to be low,” Bucolo said.

Regardless of the level of assessment they will ultimately need to perform, it’s critical for payment facilitators to understand and adhere to the requirements set out by their acquiring bank. Failure to do so can result not only in reputational damage, but hefty fines for noncompliance.