Select Monthly Archives
- March 2019
- February 2019
- January 2019
- December 2018
- November 2018
- August 2018
- July 2018
- May 2018
- March 2018
- February 2018
- December 2017
- November 2017
- September 2017
- August 2017
- June 2017
- May 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- March 2016
- October 2015
- September 2015
- July 2015
- May 2015
- March 2015
- February 2015
- January 2015
- December 2014
- September 2014
- August 2014
- July 2014
- June 2014
- December 2013
- September 2012
Filed In: PCI DSS, Risk and Compliance
Written By: Chip Ross November 15, 2016
Payment aggregation is relatively new in the PCI world, and hasn’t had much exposure to the QSA community. You may have run across some entities telling prospects and clients they have no PCI obligations for any transactions undertaken using their products. These products may include websites, mobile applications and ‘dongles’ attached to or inserted in smart phones, tablets or laptops. These entities may have payment aggregation agreements in place with the Card Brands and with Acquiring Banks.
In researching this for a client, I discovered that there is a published program from VISA, which is available here: https://usa.visa.com/dam/VCOM/download/merchants/02-MAY-2014-Visa-Payment-FacilitatorModel.pdf
This document describes the VISA Payment Facilitator Model. In essence, the Payment Facilitator is the Merchant of Record, not the merchant actually selling the product. The Payment Facilitator has agreements with VISA where they are responsible for the PCI compliance of their ‘sponsored merchants’. In turn the Payment Facilitator has agreements with Acquiring Banks. In these agreements, the Payment Facilitator is allowed to assume responsibility for the PCI compliance of their ‘sponsored merchants’, as long as the ‘sponsored merchant’ conducts less than $100,000 in annual transactions.
I asked myself, ‘What if the merchant is accepting branded cards from the other Brands?’
It has been difficult to find documentation regarding similar programs for the other card brands. At the most recent PCI Community Meeting, I contacted the Card Brands and the PCI Security Standards Council in an attempt to obtain clarification and guidance. Everyone I contacted was helpful, and the Council personnel asked that I summarize the issues and send them for review.
Some of the questions that came out of my investigation are (I am using VISA’s terms, ‘sponsored merchant’ and ‘Payment Facilitator’, but these terms are meant to describe relationships that may exist with other Card Brands, Acquiring Banks and Payment Aggregators):
If a sponsored merchant is using Payment Facilitator’s website via a PC connected to their network:
- Is the PC in-scope for the sponsored merchant’s PCI compliance? If not, why not?
- What happens if a key logger obtains cardholder data (CHD) from the sponsored merchant’s PC? Is the sponsored merchant subject to fines?
- What if the sponsored merchant accepts CHD via telephone over VOIP lines before entering it in the PC? Is VOIP in-scope?
- CHD from that PC is crossing the sponsored merchant’s internal network. How can that network be out-of-scope?
- What protects the sponsored merchant from brand or reputational damage? The customer is going to see the sponsored merchant’s name and the Payment Facilitator’s name, but will most likely blame the sponsored merchant in the event of a compromise. Is the Payment Facilitator responsible for the cost of notification, fines, hiring a PCI Forensics Investigator, etc.?
If a sponsored merchant is using a Payment Facilitator’s device attached to a phone, tablet, laptop or other device owned by the sponsored merchant:
- Does requirement 9.9 apply for the Payment Facilitator’s device?
- It does not appear that any Payment Facilitator’s devices are PTS or P2PE approved solutions. Which SAQ (if any) applies?
Since VISA is the only card brand with a limit described for ‘sponsored merchants’ ($100,000 annually), what if a ‘sponsored merchant’ takes more than 20,000 transactions totaling less than $100,000? Are they now a Level 3 Merchant and required to complete an SAQ? What SAQ applies?
For now, I’m suggesting to my clients that they continue to contact any entity that informs them they have no PCI compliance obligations when using their products and ask questions to:
- Clarify ownership of Merchant IDs
- Validate payment flow. Is the settlement of accounts going into their bank from the acquirer, or is there an accounting relationship (ACH transfer) from the Payment Facilitator?
- Ensure they have agreements in writing from these entities regarding their PCI compliance obligations as sponsored merchants.
I received an initial response from Council personnel that they are reviewing the situation. I will post an update as soon as any communication is received. I’m hoping that guidance from the Council, the Brands, or both, will be forthcoming to help address this situation.