It’s a simple question, but there are a surprising number of organizations that aren’t sure exactly where to find the answer to whether they need to be PCI compliant and how they need to demonstrate their compliance. For organizations curious about their compliance obligations when it comes to the Payment Card Industry (PCI), it can be extremely nerve-racking to be unsure of what is expected of you to continue to be able to accept credit card payments while avoiding potential fines. I’ll cut to the chase and give you the answer first and then explain a little more. Your acquiring bank is the authority when it comes to your PCI compliance efforts, including whether or not you have to regularly prove compliance with the PCI DSS and how you prove that compliance. All this is based on some public guidelines from the payment brands but it is ultimately up to your acquiring bank to enforce any requirements on organizations they work with.
What is an Acquiring Bank?
An acquiring bank or acquirer is a financial institution of some kind that processes credit card transactions on behalf of your organization and then pays you for those transactions. Whoever backs your credit card transactions, completes them on your behalf, and then pays you the amount owed from those transactions is going to be who you want to talk to for ALL of your PCI questions. Many times, your acquiring bank will be the one who provides your credit card terminals and maybe even the payment applications you’re using. This is also going to be the organization that deposits money in your account from credit card transactions on a regular basis, so it shouldn’t be hard to determine who this is.
So your acquirer is the enforcer on behalf of the payment card brands (Visa, MasterCard, Amex, etc.) when it comes to a merchants compliance efforts. Acquirers work with the “levels” defined by the payment card brands that determine what a merchant’s compliance obligations should be, and then have some freedom to customize their application of those levels in special cases. Depending on where your organization falls into these merchant levels, your acquirer may expect you to submit a Self-Assessment Questionnaire (SAQ), a full Report on Compliance (RoC), or nothing at all.
What does my organization need to do to be PCI compliant?
Every organization that accepts credit cards, even those with very low transaction volumes, must comply with all applicable requirements in the PCI DSS. The big difference is in how your organization has to prove that they are meeting all those requirements. For most businesses in the Level 3/4 tiers, their acquirer won’t require any documentation or validation that they are meeting PCI requirements, except in special cases (e.g. low volume but high value transactions). One way you may be asked to prove you are compliant is by completing an SAQ internally or with the help of a Qualified Security Assessor (QSA). This is very simply a series of questions with yes/no answers about the way in which you protect credit card data in your organization and the security controls that you have in place. While this may seem like something you can just jump in and “Christmas Tree” to pass the test, you may want to think twice before doing that here. You’ll be attesting to the truth of the answers that you provide and should you be breached in the future, you may see the liability for that breach shift to your organization if you were grossly negligent in your application of security controls or untruthful about the controls you had applied. If you need help understanding the SAQ process or completing one, we can help with that.
For the vast majority of organizations, the SAQ will be the right approach to proving you are PCI compliant and your acquirer will ask you to complete one and upload it to some kind of portal they maintain. But for the organizations in Level 1 that accept a large number of transactions (in the millions), they will be expected to complete a full onsite assessment that results in a RoC. This is a much more involved (and expensive) process, so most organizations won’t do this unless their acquirer tells them they have to or they are a service provider that services merchants who require it of them. Again, lean on your acquiring bank for any questions about the proper approach to proving compliance, any requests about deviations from the published PCI standards, the use of compensating controls, or anything else PCI related. It never hurts to ask and be safe rather than sorry in this case.