12
Dec
20

The PCI DSS Is Not The Only Relevant Payment Security Standard

One of the more lively discussions at our past PCI Dream Team session involved a discussion of requirement 12.8 and third party management (i.e., service providers).  What got the discussion started was when Art (Coop) Cooper made the comment that only SAQ A states that all third parties must be PCI compliant.  All of the other SAQs and even the ROC does not state that third parties need to be PCI compliant.

All of this is very true and has been this way since the beginning of the PCI DSS.

But …  That is not the whole story.

In this instance, the PCI DSS is not the only game in town.

People forget that Visa, Mastercard, Discover, American Express and JCB (aka “The Brands”) still have their own security programs and requirements in addition to the PCI DSS.  Some of these requirements are in their Operating Rules or similar documents.  In this case, Visa, Mastercard and Discover all require that service providers be PCI compliant as defined on their respective Web sites.  In the case of Visa and Mastercard, they maintain lists of PCI compliant service providers.  That said, those lists are marketing ploys that generate revenue for Visa and Mastercard as those service providers listed pay them to be on those lists. 

While Coop’s statement is accurate that the PCI DSS does not require service providers to be PCI compliant, it is shortsighted.  The Brands do require service providers to be PCI compliant and will enforce it through the merchant agreement/contract all organizations sign in order to accept those cards for payment.

The bottom line is that, if any service provider can provide you a current PCI Service Provider Attestation Of Compliance (AOC), you can use their services and comply with the Visa, Mastercard and Discover contracts.

Coop also stated that he has never seen the Brands enforce the contractual obligation when reviewing organizations’ ROCs and SAQs.  That is also a true statement but again not the complete story.  Based on what I have been told by lawyers that have been involved in breach litigation, it is the merchant agreement/contract that is used to hold breached merchants legally responsible and enforce fines, not PCI compliance or what is in any PCI document.  The PCI documents are used to influence fines and penalties, but the actual enforcement is through the contracts with the Brands.  If it is found that an organization was using non-PCI compliant service providers that just adds fuel to the fire.

As famous radio personality Paul Harvey used to say, “And that, is the rest of the story.”


12 Responses to “The PCI DSS Is Not The Only Relevant Payment Security Standard”


  1. 1 jJK
    February 24, 2021 at 8:30 AM

    I found a Visa doc that says “Agent registration is required for all entities providing solicitation activities, managed services and/or storing, processing or transmitting Visa cardholder data for Visa clients (or on behalf of their merchants or agents). There are also fines associated for ‘Clients’ using non-registered TPAs.

    If this is a requirement with fines associated, would merchants (not Visa ‘Clients’) be liable for the fines if they used a nonregistered service provider? I’ve confirmed with Chase that Visa requires TPAs to be registered and PCI compliant.

    Just asking because sounds more like a requirement than marketing aid. Appreciate your response and work here.

  2. 5 Robert
    January 12, 2021 at 3:37 AM

    I’d like to make an observation.

    You stated “… those lists are marketing ploys that generate revenue for Visa and Mastercard as those service providers listed pay them to be on those lists.” Visa’s Global Registry of Validated Service Providers and the MasterCard Compliant Service Provider List exist for the convenience of merchants when they need to select a TPSP. Service providers do not pay the Card Brands for the privilege of being listed in the registries, rather any payment is related to compliance with the Card Brands’ operating regulations. TPSPs need to be registered in the Brands’ specific Third Party Agent (TPA) programs (which tracks the relationships between TPSPs and merchants) and there is an administration fee associated with these TPA programs. So, yes there’s a fee but its not for the purpose you stated.

    • January 18, 2021 at 3:46 PM

      A year ago when I registered my last service provider, you still had to pay Visa or Mastercard to be listed on their Global Service Provider Registries. TPAs are an entirely different animal from a managed service provider (MSP) that does not handle CHD/SAD. However, most TSPs that are listed are TAPS as well.

  3. 7 Coop
    December 12, 2020 at 7:34 PM

    Wow. Guess I need to shut up.

  4. 10 Kelly Clark
    December 12, 2020 at 7:17 PM

    I just wanted to point out/clarify one of the statements in your post that may be misinterpreted. When you say:

    “it is the merchant agreement/contract that is used to hold breached merchants legally responsible and enforce fines, not PCI compliance or what is in any PCI document. The PCI documents are used to influence fines and penalties, but the actual enforcement is through the contracts with the Brands.”

    With Visa and MasterCard, there is no contract between the merchant and the Card Brand. The contract is between the Merchant and their Acquirer. Both Visa and MasterCard forced the Acquirers to insert language in their Merchant contracts through changes in their OP Regs many years ago that require the Merchant to agree to be PCI compliant. This is why the Card Brands fine the Acquiring Bank when assessing fines and penalties for breaches and the Acquirer, in turn, fines the Merchant because there is no direct contract between the Card Brands.

    The closed-loop brands like AMEX and Discover may handle things differently but I haven’t been involved in any breaches where they assessed fines against the merchants so I can speak from experience on them. As for JCB, who knows? Have they ever assessed a fine that you know of?

    Thanks,
    Kelly Clark


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


Announcements

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

December 2020
M T W T F S S
 123456
78910111213
14151617181920
21222324252627
28293031  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 2,386 other followers


%d bloggers like this: