Posted by: paragon | December 28, 2007

PCI Compliance and Level 4 Merchants

For Level 4 merchants-brick and mortar or e-commerce sites with Less than 20,000 V/MC e-commerce transactions annually, and all merchants across channels up to 1,000,000 VISA transactions annually-understanding and following the rules of PCI compliance has been murky journey at best.

Despite the copious documentation available at the PCI Security Standards Web site, for many merchants, especially Level 4 merchants, knowing how to introduce and maintain a PCI compliance program is proving to be a puzzling endeavor.

It’s critical that acquirers maintain active and open communication of all policies and procedures with merchants, member banks and the card associations.

Acquirers are the new gatekeepers for PCI compliance information for merchants, but they also serve as information convergence points for card issuers and for third party vendors like ASVs.

It’s up to the acquirers, according to PCI Standards and Security Council, Visa and MasterCard, to ensure that their merchants follow the procedures for compliance.

For acquirers who are not vigilant about merchant compliance, the fines for non-compliance will be steep. Acquirers, whose Level 1 and 2 merchants are not compliant, will be fined between $5,000 and $25,000 a month.

Whether they wish to take on the gate-keeper role or not, Acquirers must step up to the plate, answer and clarify questions that merchants have, concerning the PCI process, or they face the consequences.

According to some merchants, and those working for merchants, how much involvement an acquirer has with the merchant, or the information that is given to the merchant by that acquirer, depends on the acquirer. The acquirer’s information is directly linked to the particular credit card brand’s rules, as well as PCI DSS guidelines. If there is little or no communication between the merchant, acquirer and the card brand, problems begin to accrue.

“The fact that the five major brands have agreed on a single standard is good. Unfortunately, due to federal laws, they do not have full freedom to agree on implementation standards,” said Ron Greenberg, COO of merchant acquirer, PowerPay, LLC.

Based in Portland, ME, PowerPay works with merchants across the US, from retailers, restaurants to convenience stores, all through it’s ‘member bank’ HSBC, and whose business partners include companies like Time Warner Cable, and The California ISP Association.

According to Greenberg, the different credit card brands introduce a whole new level of confusion for merchants and acquirers alike, when it comes to PCI compliance.

“For instance, Visa has defined four levels of compliance for merchants along with a set of fines and penalties,” he explained.

“MasterCard has a different set of rules as well as reporting requirements. Multiply this by five and it creates a mess of rules and compliance issues we need to track.”

When asked, bluntly, whether he felt PCI DSS was going to help or hinder acquirers, his answer was just as blunt.

“They [PCI guidelines] are a necessary evil. Any time you add more procedures it is a headache. Will it help? In the long run it should. But everyone must realize it will not solve the problem.”

Some merchants and employees of merchants, who are charged with facilitating the merchant acquirer relationship, seem to add credence to Greenberg’s assertions.

“I have the feeling, although I can not substantiate it to any degree, that the requirements a merchant is under (particularly absolute compliance dates) varies depending on which Acquirer you are going through,” posted Information Security Manager Andrew Mason, on a PCI Compliance Web forum, recently.

Mason, who works for a merchant company in Spain, is paired with an acquirer based in the United Kingdom; an acquirer that isn’t offering the kind of support he thinks is needed. As well, the answers he’s receiving from the credit cards, themselves, have been nebulous, at best.

“Visa seems happy as long as you can prove ‘progress’ in your PCI Compliance project,” commented Mason. “MasterCard appears to be less clear on the various aspects of compliance, particularly the dates.”

He continued, “I asked a question in a webinar recently which was joint hosted by MasterCard. The question was directed to the MasterCard rep. who was VP of something or other to do with PCI / Compliance. The question was, ‘when is the absolute deadline date for compliance?’ ”

“The answer? Any guesses? ‘Speak to your Acquirer'”


Aggregation: ParagonHost, LLC

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: