An increasing number of companies are using third-party service providers (TPSPs) to process their credit card payments and address the costly burden of compliance to meet PCI DSS requirements.
Outsourcing raises an interesting compliance question; do you still have to be PCI compliant if you outsource the processing of credit cards to a third party?
In short, “yes”.
Related article: Data Breaches and PCI Compliance: Risk Exposure and Third Party Processor (2/3)
If your organization accepts credit cards, then it must be PCI DSS compliant, even if it is not handling the collection, processing, and storage of the protected cardholder data.
Indeed, all organizations that accept credit cards enter one or many agreements with its bank, according to which the organization must:
The merchant is also required to report any card data compromise event to its bank, who then notifies the credit card association behind the PCI DSS compliance conditions.
In case of a breach, the merchant might be required to retain and pay for a Payment Card Industry Forensic Investigator to conduct a forensic examination of the processing environment. This can be costly, depending on the size of the business.
The process moving forward is explained in credit card brand regulations (e.g. Visa International Operating Regulations or MasterCard Security Rules and Procedures). Generally, the investigator must determine if your organization was compliant at the time of the breach. Each credit card will impose a separate fine for non-compliance and can impose additional penalties for not reporting the incident immediately. These fees are claimed by virtue of the indemnity provisions in the Merchant Services Agreements; your bank will claim the money on behalf of the credit card companies. Also, your bank may decide to increase transaction fees or, in some cases, simply terminate the business relationship to eliminate the risk.
According to David A. Zetoony, attorney at Brand Cave LLP, and Courtney K. Stout, attorney at Davis Wright Tremaine, LLP, “payment brands can assess more than 25 different contractual penalties, fines, adjustments, fees, and charges upon a retailer following a PCI data security breach”.
It does reduce the compliance burden; organizations will only have to complete a Self-Assessment Questionnaire in most cases. Nonetheless, there are other factors to consider when dealing with a third-party service provider, such as class action exposures and due diligence in vetting TPSPs. Read the article about data breaches and PCI compliance for more information.