Enforcing PCI DSS compliance for Service Providers

by David Ochel

There is nothing new about the fact that anybody who is processing, storing, or even just transmitting credit or debit card data (commonly referred to as cardholder data) needs to be compliant with the PCI Data Security Standard. And it isn’t new to the multitude of service providers, who make the lives of merchants accepting these cards easier by providing specialty expertise and tailored solutions for today’s diverse online and offline markets. But the approach that some card brands, such as Mastercard and Visa, take in order to enforce DSS compliance of service providers that they don’t have direct relationships with, has somewhat changed over the past year and sometimes still leads to confusion. So let’s try to shed some light on it:

Enforcement used to be – and depending on the card brand, still is – indirect. The brands mandate PCI compliance. Their “members” or “clients,” who are typically the card issuing and merchant acquiring banks, as well as other processors directly connected to the brand networks, have the contractual requirements to enforce compliance down the chain. Agreements between banks and merchants require the merchants to be compliant, which may add the potential for contractual fines to be imposed if they aren’t. Merchants (and others), in turn, may use a variety of third party “service providers”. From data centers that do nothing more than host servers for a merchant on the one end, to full-fledged providers of online store frontends that pass orders and transactions on to a merchant’s system as part of their overall supply chain on the other end. As a result, the PCI DSS (in section 12.8) requires that everybody who is mandated to be PCI compliant shall ensure that the third party that is helping them to process, transmit, or store their cardholder data will be PCI compliant as well.

This indirect chaining of compliance requirements works, but only to a certain extent. For example, if a third party service provider managing transactions for a merchant is breached, then who is held responsible and how will future compliance be enforced? Merchants only have so much leverage over their service providers. Direct contractual relations between the card brands and third party service providers, which require the third parties to be PCI DSS compliant, would allow the brands more control over compliance efforts in these areas of the card-accepting world, and potentially reduce the likelihood of card-related security breaches, while improving the baseline defenses across the board and minimizing overall risk for the payment community. And this is exactly what brands like Mastercard and Visa are doing now, and others may follow their example.

And here is how: The banks associated with Mastercard and Visa USA that are acquiring card transactions from merchants, are now required to enroll any service provider with which they have a relationship, with the card brands. This includes indirect relationships, such as service providers that may have a relationship with any of the bank’s merchants.

Enrollment requires demonstration and maintenance of the service provider’s PCI compliance, amongst other contractual obligations, establishing a formal relationship between acquirers, brands, and service providers that allows for enforcement of compliance by the means of potential fines, etc.

Currently, the two brands requiring such enrollment charge the first processor who enrolls a third party service provider (also referred to as “member service provider” or “third-party agent”) a one-time fee of USD 5,000 and then a yearly maintenance fee of USD 2,500, with no further fees subsequently due from all other processors enrolling the same agent. One would expect that processors hand these charges down to the actual third parties they are required to enroll.

It should be noted that other card brands, such as American Express, Discover, and JCB, also require PCI compliance of all service providers. Again, this is nothing new as only the method of how some card brands have started enforcing their compliance requirements has changed.

More information on individual card brands’ registration requirements for service providers can be found at:

• Mastercard
• Visa