ParagonHost.com “World Class Internet Services”

For liability concerns, an acquirer should not directly advocate any one ASV or QSA to their merchants, however it is acceptable for the acquirer to tell the merchants what third party company or companies that they have strategic partnerships with.

“Try to seek a partner who you can rely on to assist with your PCI Compliance program, ControlScan offers a number of solutions for merchants, ISOs and acquirers and currently partners with one of the largest acquirers in the United States,” said Stanton.

As well, the PCI Security Council has a list of approved ASVs and QSAs. Visa and MasterCard also offer their own lists on each Web site.

“Acquirers and ISOs should establish a relationship with a trusted, association-approved PCI assessor, and develop a program for all their merchants to establish compliance, and ensure periodic testing so that compliance remains intact moving forward,” wrote Gray.

A model relationshipThird Party ASVControlScan, Inc. is an Atlanta, Ga.-based, PCI Security Standards Council–approved third party vendor (ASV), providing vulnerability scan and assessments, compliance assistance and network security. Their clients include Fortune 500 and billion dollar corporations such as: Travelers Insurance and PBS.The company offers a turnkey, no-software-needed approach to PCI compliance, and its security certificates assist in meeting the criteria for mandates in Europe, Japan, Canada, ISO and the USA, not only for PCI compliance but also for Sarbanes Oxley, HIPAA, GLBA and FISMA fulfillment. AcquirerAccording to ControlScan’s CTO & Founder, Richard Stanton, the company recently became the ASV for PowerPay, LLC, mentioned previously in this article.“PowerPay requested that we [ControlScan] conduct all of their mandated PCI compliance scans, for all 16,500 of their merchants,” said Stanton.“What sets us apart from other vendors, is that we actually call the merchants, directly, and we also provide a secure Web system, so a company like PowerPay can log into our system and check their merchant’s PCI status at any time.”He continued, “ControlScan is very proactive, providing contact with the merchant, in order to make sure each merchant is PCI compliant…we actually make direct phone calls to each merchant.”

According to PowerPay President Ron Greenberg, after meeting representatives from ControlScan at an industry conference, the company decided ControlScan offered the best PCI compliance scanning program.

“They have a very structured program of trained outbound sales agents along with personalized consulting to assist our merchants in complying with PCI DSS,” says Greenberg. “Other vendors typically did limited outbound sales with no technical support to the merchant.”

In addition to offering the quarterly network scans, mandated by PCI DSS, ControlScan offers an automatic submission solution, for merchants sending the 12-section PCI Self-Assessment Questionnaire.  

ISO

e-Online Data is a credit card processor, offering merchant solutions for Internet, Mail Order and Auction sellers. They service e-commerce merchants ranging from startups to billion-dollar companies, according to their Web site.

At the bottom of the e-Online Data homepage, there is a sentence that reads, “e-onlinedata is a registered ISO/MSP of HSBC Bank USA, National Association, Buffalo, NY”

In this model, HSBC Bank USA is the actual acquiring or ‘member bank’, and e-Online Data is considered an ISO.

The partnership between acquirer, member bank, ISO, third party ASV and merchant looks like this:

Who is the acquirer?

It’s a basic question, yet for merchants new to PCI compliance in general, the name ‘acquirer’ may mean several different things.

For some, it means the ‘acquiring bank,’ which is also known as the ‘member bank.’ The member or acquiring bank is the bank that underwrites and issues the credit card from the card associations to acquirers and ISOs. The member bank is just that: a member of the card association-the card association that gives it’s approval and permission for that bank to issue cards with the Visa, MasterCard, Discover or American Express logo.

But an ‘acquirer’ usually refers to the entity-usually a credit card processor–that provides credit card processing services for Visa, MasterCard, AmEx and Discover receipts collected by merchants, directly or through an affiliated ISO.

Moreover, another layer of merchant confusion comes in because there are times when an ISO is considered an acquirer as well, or, in the case of a company like North American Bancard, a Super ISO-an entity that takes the liability responsibility on, that the acquirer would usually take on for the ISO.

The member bank/acquiring bank receives funds from a cardholder when a credit card transaction is completed, and deposits the payment amount, minus any fees, into the merchant’s Merchant Account and from there into his business checking account. From a merchant perspective, knowing the acquirer may be a rather confusing question to even ponder, but it falls to the acquirer to make sure merchants, no matter their level, become compliant. With these new directives in place, it’s incumbent upon the acquirers take their own steps to ensure that they understand what their merchants, ISOs and, in some cases, third party vendors need and to make their merchants understand the PCI compliance process completely.

ISOs and the acquirer

According to an article entitled, “PCI Demands the Attention of Acquirers Now More than Ever Dramatic Non-Compliance Puts ISOs and Acquirers at Risk,” in the May 2007 online edition of “The Exchange” newsletter from the Strawhecker Group-a management consulting company focused exclusively on the merchant acquiring sector of the payments Industry-the relationship between an ISOs and acquirers is very important.

“The liability for non-compliance, when a merchant is breached and/or compromises sensitive data, lies on the acquiring institution; typically, this is passed on to the ISO providing Merchant Services and by that ISO onto the merchant themselves,” wrote Cliff Gray, a PCI expert and associate with The Strawhecker Group.

“Considering that the vast majority of Tier 4 merchants are signed by ISOs, it’s imperative that these ISOs take a stronger stance at ensuring their merchants comply.”

To strengthen the alliance between the ISO and acquirer, Gray offered the following step for moving toward PCI compliance.

“ISOs should carefully review their contract(s) with their sponsor acquirer, to understand exactly what liability they bear upon the event of a merchant breach.”

Greenberg and Richard Stanton, chief technology officer and founder of ControlScan -a leading PCI assessor, who works with US acquiring institutions, merchants, ISOs, weighed in on certain steps that acquirers should take in order to facilitate PCI DSS Compliance for their merchants.

Source: http://www.pcicomplianceguide.org/pcidss/pcidssi-iso-acquirer.html

Aggregation: ParagonHost, LLC http://www.ParagonHost.com/intro.html

“World Class Internet Services”

Merchant Services: Paragon Authrorize: http://www.ParagonAuthorize.com

For Level 4 merchants-brick and mortar or e-commerce sites with Less than 20,000 V/MC e-commerce transactions annually, and all merchants across channels up to 1,000,000 VISA transactions annually-understanding and following the rules of PCI compliance has been murky journey at best.

Despite the copious documentation available at the PCI Security Standards Web site, for many merchants, especially Level 4 merchants, knowing how to introduce and maintain a PCI compliance program is proving to be a puzzling endeavor.

It’s critical that acquirers maintain active and open communication of all policies and procedures with merchants, member banks and the card associations.

Acquirers are the new gatekeepers for PCI compliance information for merchants, but they also serve as information convergence points for card issuers and for third party vendors like ASVs.

It’s up to the acquirers, according to PCI Standards and Security Council, Visa and MasterCard, to ensure that their merchants follow the procedures for compliance.

For acquirers who are not vigilant about merchant compliance, the fines for non-compliance will be steep. Acquirers, whose Level 1 and 2 merchants are not compliant, will be fined between $5,000 and $25,000 a month.

Whether they wish to take on the gate-keeper role or not, Acquirers must step up to the plate, answer and clarify questions that merchants have, concerning the PCI process, or they face the consequences.

According to some merchants, and those working for merchants, how much involvement an acquirer has with the merchant, or the information that is given to the merchant by that acquirer, depends on the acquirer. The acquirer’s information is directly linked to the particular credit card brand’s rules, as well as PCI DSS guidelines. If there is little or no communication between the merchant, acquirer and the card brand, problems begin to accrue.

“The fact that the five major brands have agreed on a single standard is good. Unfortunately, due to federal laws, they do not have full freedom to agree on implementation standards,” said Ron Greenberg, COO of merchant acquirer, PowerPay, LLC.

Based in Portland, ME, PowerPay works with merchants across the US, from retailers, restaurants to convenience stores, all through it’s ‘member bank’ HSBC, and whose business partners include companies like Time Warner Cable, and The California ISP Association.

According to Greenberg, the different credit card brands introduce a whole new level of confusion for merchants and acquirers alike, when it comes to PCI compliance.

“For instance, Visa has defined four levels of compliance for merchants along with a set of fines and penalties,” he explained.

“MasterCard has a different set of rules as well as reporting requirements. Multiply this by five and it creates a mess of rules and compliance issues we need to track.”

When asked, bluntly, whether he felt PCI DSS was going to help or hinder acquirers, his answer was just as blunt.

“They [PCI guidelines] are a necessary evil. Any time you add more procedures it is a headache. Will it help? In the long run it should. But everyone must realize it will not solve the problem.”

Some merchants and employees of merchants, who are charged with facilitating the merchant acquirer relationship, seem to add credence to Greenberg’s assertions.

“I have the feeling, although I can not substantiate it to any degree, that the requirements a merchant is under (particularly absolute compliance dates) varies depending on which Acquirer you are going through,” posted Information Security Manager Andrew Mason, on a PCI Compliance Web forum, recently.

Mason, who works for a merchant company in Spain, is paired with an acquirer based in the United Kingdom; an acquirer that isn’t offering the kind of support he thinks is needed. As well, the answers he’s receiving from the credit cards, themselves, have been nebulous, at best.

“Visa seems happy as long as you can prove ‘progress’ in your PCI Compliance project,” commented Mason. “MasterCard appears to be less clear on the various aspects of compliance, particularly the dates.”

He continued, “I asked a question in a webinar recently which was joint hosted by MasterCard. The question was directed to the MasterCard rep. who was VP of something or other to do with PCI / Compliance. The question was, ‘when is the absolute deadline date for compliance?’ “

“The answer? Any guesses? ‘Speak to your Acquirer’”

 Source: http://www.pcicomplianceguide.org/pcidss/iso-acquirer.html

Aggregation: ParagonHost, LLC http://www.ParagonHost.com/intro.html