As a small business owner, ensuring the protection of your revenue is an essential part of accepting credit cards. The best way to safeguard these payments is to establish a merchant account with a merchant services provider that is PCI-compliant. Outsourcing to a PCI-compliant service provider is one of the best ways business owners can help reduce their PCI obligations and risk of a data breach. As a business owner, it is your responsibility to make sure you are partnering with the right service providers to remain in PCI compliance. Unfortunately, approaching these third-party relationships is rarely taught, or even discussed. This blog entry is to advise business owners on how to evaluate a merchant services provider and ensure they are reputable and will dutifully safeguard your customers’ credit card information.
PCI Compliance: Asking the Right Questions
Who qualifies as a merchant services provider?
First and foremost, it is important to know which entities store, process, or transmit cardholder data (CHD) on your behalf or have the potential of impacting the security of your customers’ card data. Many small business owners are not aware of the players involved and, as a result, have no idea if these providers are taking the right steps to protect their customers’ private information and ultimately their business. To define a merchant services provider, it is an business entity that is directly involved in the processing, storage, or transmission of cardholder data. Some common examples of merchant services providers include:
- Independent Sales Organizations (ISOs)
- Transaction processors
- Payment gateways
- Hosting companies
- Managed security services providers (MSSP)
- Third party marketing firms
- Vendors that perform POS maintenance
How do I choose a merchant services provider?
Business owners should have a set process for choosing a merchant services provider (for example, verify PCI compliance status, research the company’s track record for any breach events, review documented customer complaints, etc.). You can check on the compliance state of a service provider by accessing the Visa and MasterCard registry lists, or by contacting the service provider directly. If the service provider is not on a registry list and has opted to “self-assess” their compliance, it is important to ask for proof of PCI compliance from provider. If the service provider cannot provide formal documentation proving their compliance, it is recommended that you select a provider that has completed a Level 1, on-site audit conducted by a Qualified Security Assessor (QSA). This is a necessary step in ensuring your merchant services provider is meeting the PCI compliance standards.
What questions should I ask potential service providers to validate their PCI-compliance status and procedures?
- What is included in their incidence response plans?
- Have they experienced any data breaches?
- How many years have they been in service?
- Are there available client recommendations?
- Do they run background checks on employees? (This is required for PCI Compliance.)
- Are there any complaints found through the Better Business Bureau?
Once I identify my service providers, how should I proceed?
Next, you should maintain a list of your service providers and check PCI status at least quarterly; and most importantly, ensure that there are written agreements in place acknowledging data security responsibility even down to which PCI requirements they are handling. You should also assure that the liabilities and responsibilities of the service provider are clearly stated and agreed in writing in case of a breach.
What if I am an ecommerce merchant?
Ecommerce merchants that do not have in-house expertise or resources should consider fully outsourcing their payment-card processing operations to a PCI compliant merchant services provider. By using a fully outsourced service provider, you are not storing, processing or transmitting cardholder data in electronic format on your systems. This option also greatly reduces your PCI DSS validation requirements.