Secure Payments, PCI DSS, Regulatory Compliance Blog

What if a Merchant outsources transaction processing to a Service Provider?

November 7th, 2006 by datasecurity Posted in Merchant, PCI DSS, Service Provider

There was an interesting question posted on the pciFile.org site:

Description:
Level 4 merchant M is registered with processor P. M outsources payment transactions to service provider S, who collect M’s payment transactions via phone orders or batch data transfers.

Here’s the interesting part - M has authorized S to send M’s payment transactions to P as merchant M, and not as service provider S.

Question:
Is service provider S considered a payment gateway?

The reply came as follows:

To be classified as a merchant a company must have a merchant ID assigned by either a member or ISO/MSP.

Since the company sits in the middle of the transaction process between ‘M’ and ‘P’, then it technically meets the definition of a gateway as defined by Visa. Since ’s’ is storing data on behalf of a merchant, ‘S’ is considered a data storage entity (DSE) by MasterCard rules.

Simply because ‘M’ is enabling ‘S’ to act as a merchant does not mean that ‘S’ is a merchant. The description provided would classify them as a DSE by MasterCard rules and a Gateway by Visa rules. Visa requires all gateways to be treated as level-1 service providers.

Check out other posts for more information about the difference between a gatrway, service provider, and a DSE.

Now we understand that, in this example, the service provider is a: gateway (Visa) and DSE (MasterCard).  But does the merchant even need to be PCI compliant?

Many people think that by outsourcing transaction processing to a service provider (SP) that they also outsource liability and compliance requirements.  This is highly dependent on if the SP uses the merchant’s Merchant ID or if they have their own.  If the SP uses the merchant’s ID then the merchant is still liable (via their acquirer and card association) for any fraudulent use of the credit card data handled by their SP.

If the SP used their own ID (separate from the Merchant’s ID) and the merchant never stores, processes, or transmits the credit card data (in electronic pr paper form) then they have successfully outsourced their liability and compliance requirements.

This is an important distinction that all merchants and service providers (and DSEs) should be aware of.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Sorry, comments for this entry are closed at this time.