PCI Compliance: The Role of the Acquiring Bank
This blog is intended to help merchants understand the various roles in PCI compliance. Specifically, we are going to look at perhaps the most important role: the role of your acquiring bank. Simply put, your acquiring bank is the judge and jury when it comes to meeting PCI compliance. Let’s discuss.
Who is My Acquiring Bank?
According to the official PCI Glossary, here is the official definition:
Also referred to as “merchant bank” or “acquiring financial institution”. Entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance.
OK, that definition is a good start, but lets break that down further. When a customer is buying something at your store (whether that is in-person or online), they enter their credit card information and that goes somewhere to be processed. Once it is approved and settled by the payment brand (Visa, Mastercard, etc.) the money eventually gets put into your bank (minus a small fee, of course). Whoever puts that money into your account is your acquiring bank.
It is also entirely possible that you have more than one acquiring bank. You may have an e-commerce portion that is handled by Bank A, while your point-of-sale terminals are provided by Bank B. It is also possible that it isn’t a bank at all. For example, if you are using an e-commerce platform like Shopify or Stripe, they may be the one giving you the money back into your account. Doesn’t matter whether they are an actual bank or not, they are still serving the role as your acquirer.
The Role of the Acquiring Bank
So now that we know who your acquiring bank or acquirer is, why do you care? Well, the acquiring bank is the enforcer of PCI compliance. Specifically, their responsibilities include:
- Determining the PCI DSS validation and reporting method for their merchant customers on behalf of the payment brands (Visa, Mastercard, etc.) – This means that your acquiring bank is responsible for determining whether they want you to fill out a Self Assessment Questionnaire or complete a full-blown Report on Compliance. This also means they determine whether they want you to do an SAQ-D, or if they will accept two smaller, individual SAQs for each of your different payment channels.
- Providing direction about which PCI DSS requirements are to be included in the assessment – This means they can choose to waive certain requirements. There has been several times where a customer has a unique situation, and we come up with a plan and talk to the acquiring bank about a work-around. If the acquirer agrees with our approach, they have the authority to let us mark a particular control as N/A.
- Enforcing PCI compliance – The acquiring bank, on behalf of the payment brand, is responsible for enforcing compliance. They are the ones who are ultimately taking the risk and, therefore, they enforce compliance. They set the due date, they might issue penalty fees if you are not meeting compliance, and ultimately, they can cut off your ability to accept credit card payments if they deem you are not in compliance.
Summary
In summary, your acquiring bank or acquirer is whoever is responsible for putting money into your account when a credit card transaction is processed. Your acquiring bank is also the one accepting the risk for all transactions that you perform. As such, they have a special role in PCI DSS compliance. Specifically, they are the enforcer, they determine exactly which controls you need to implement, they decide how you need to be assessed, and they can issue fees if you do not meet compliance. If you have any other questions about this, reach out to us and we can put you in touch with one of our QSAs.