PCI Compliance: Acquirers and ISOs December 28, 2007
Posted by paragonhost in Hosting News, Internet, Internet Protection, ModernBill, Network 101, PCI Compliance, ParagonAuthorize, ecommerce.Tags: Acquirers, Compliance, ControlScan, Credit Card Fraud, eOnlineData, HackerSafe, ID Theft, Identity Theft, Interent eCommerce, ISO, Master Card, Merchant Services, online merchants, Paragon Authorize, ParagonAuthorize, PCI, ScanAlert, Security Focus, Visa
add a comment
For liability concerns, an acquirer should not directly advocate any one ASV or QSA to their merchants, however it is acceptable for the acquirer to tell the merchants what third party company or companies that they have strategic partnerships with.
“Try to seek a partner who you can rely on to assist with your PCI Compliance program, ControlScan offers a number of solutions for merchants, ISOs and acquirers and currently partners with one of the largest acquirers in the United States,” said Stanton.
As well, the PCI Security Council has a list of approved ASVs and QSAs. Visa and MasterCard also offer their own lists on each Web site.
“Acquirers and ISOs should establish a relationship with a trusted, association-approved PCI assessor, and develop a program for all their merchants to establish compliance, and ensure periodic testing so that compliance remains intact moving forward,” wrote Gray.
A model relationshipThird Party ASVControlScan, Inc. is an Atlanta, Ga.-based, PCI Security Standards Council–approved third party vendor (ASV), providing vulnerability scan and assessments, compliance assistance and network security. Their clients include Fortune 500 and billion dollar corporations such as: Travelers Insurance and PBS.The company offers a turnkey, no-software-needed approach to PCI compliance, and its security certificates assist in meeting the criteria for mandates in Europe, Japan, Canada, ISO and the USA, not only for PCI compliance but also for Sarbanes Oxley, HIPAA, GLBA and FISMA fulfillment. AcquirerAccording to ControlScan’s CTO & Founder, Richard Stanton, the company recently became the ASV for PowerPay, LLC, mentioned previously in this article.“PowerPay requested that we [ControlScan] conduct all of their mandated PCI compliance scans, for all 16,500 of their merchants,” said Stanton.“What sets us apart from other vendors, is that we actually call the merchants, directly, and we also provide a secure Web system, so a company like PowerPay can log into our system and check their merchant’s PCI status at any time.”He continued, “ControlScan is very proactive, providing contact with the merchant, in order to make sure each merchant is PCI compliant…we actually make direct phone calls to each merchant.”
According to PowerPay President Ron Greenberg, after meeting representatives from ControlScan at an industry conference, the company decided ControlScan offered the best PCI compliance scanning program.
“They have a very structured program of trained outbound sales agents along with personalized consulting to assist our merchants in complying with PCI DSS,” says Greenberg. “Other vendors typically did limited outbound sales with no technical support to the merchant.”
In addition to offering the quarterly network scans, mandated by PCI DSS, ControlScan offers an automatic submission solution, for merchants sending the 12-section PCI Self-Assessment Questionnaire.
ISO
e-Online Data is a credit card processor, offering merchant solutions for Internet, Mail Order and Auction sellers. They service e-commerce merchants ranging from startups to billion-dollar companies, according to their Web site.
At the bottom of the e-Online Data homepage, there is a sentence that reads, “e-onlinedata is a registered ISO/MSP of HSBC Bank USA, National Association, Buffalo, NY”
In this model, HSBC Bank USA is the actual acquiring or ‘member bank’, and e-Online Data is considered an ISO.
The partnership between acquirer, member bank, ISO, third party ASV and merchant looks like this:
PCI Compliance: Who is the Acquirer? December 28, 2007
Posted by paragonhost in Internet, Internet Protection, PCI Compliance, ParagonAuthorize, Technology News, ecommerce.Tags: Acquirer, Bank, eOnlineData, Internet, Internet Security, Master Card, Merchant, Merchant Services, Online eCommerce, ParagonAuthorize, PCI, PCI Compliance, Security Focus, Transactions, Visa
add a comment
Who is the acquirer?
It’s a basic question, yet for merchants new to PCI compliance in general, the name ‘acquirer’ may mean several different things.
For some, it means the ‘acquiring bank,’ which is also known as the ‘member bank.’ The member or acquiring bank is the bank that underwrites and issues the credit card from the card associations to acquirers and ISOs. The member bank is just that: a member of the card association-the card association that gives it’s approval and permission for that bank to issue cards with the Visa, MasterCard, Discover or American Express logo.
But an ‘acquirer’ usually refers to the entity-usually a credit card processor–that provides credit card processing services for Visa, MasterCard, AmEx and Discover receipts collected by merchants, directly or through an affiliated ISO.
Moreover, another layer of merchant confusion comes in because there are times when an ISO is considered an acquirer as well, or, in the case of a company like North American Bancard, a Super ISO-an entity that takes the liability responsibility on, that the acquirer would usually take on for the ISO.
The member bank/acquiring bank receives funds from a cardholder when a credit card transaction is completed, and deposits the payment amount, minus any fees, into the merchant’s Merchant Account and from there into his business checking account. From a merchant perspective, knowing the acquirer may be a rather confusing question to even ponder, but it falls to the acquirer to make sure merchants, no matter their level, become compliant. With these new directives in place, it’s incumbent upon the acquirers take their own steps to ensure that they understand what their merchants, ISOs and, in some cases, third party vendors need and to make their merchants understand the PCI compliance process completely.
ISOs and the acquirer
According to an article entitled, “PCI Demands the Attention of Acquirers Now More than Ever Dramatic Non-Compliance Puts ISOs and Acquirers at Risk,” in the May 2007 online edition of “The Exchange” newsletter from the Strawhecker Group-a management consulting company focused exclusively on the merchant acquiring sector of the payments Industry-the relationship between an ISOs and acquirers is very important.
“The liability for non-compliance, when a merchant is breached and/or compromises sensitive data, lies on the acquiring institution; typically, this is passed on to the ISO providing Merchant Services and by that ISO onto the merchant themselves,” wrote Cliff Gray, a PCI expert and associate with The Strawhecker Group.
“Considering that the vast majority of Tier 4 merchants are signed by ISOs, it’s imperative that these ISOs take a stronger stance at ensuring their merchants comply.”
To strengthen the alliance between the ISO and acquirer, Gray offered the following step for moving toward PCI compliance.
“ISOs should carefully review their contract(s) with their sponsor acquirer, to understand exactly what liability they bear upon the event of a merchant breach.”
Greenberg and Richard Stanton, chief technology officer and founder of ControlScan -a leading PCI assessor, who works with US acquiring institutions, merchants, ISOs, weighed in on certain steps that acquirers should take in order to facilitate PCI DSS Compliance for their merchants.
Source: http://www.pcicomplianceguide.org/pcidss/pcidssi-iso-acquirer.html
Aggregation: ParagonHost, LLC http://www.ParagonHost.com/intro.html
“World Class Internet Services”
Merchant Services: Paragon Authrorize: http://www.ParagonAuthorize.com
