The other day I met with some colleagues of mine from a nearby city which was covered under our joint state-wide governmental entity merchant services contract. They had several questions raised by their legal department about their obligations under the contract. The main thrust of their questions and our subsequent conversation revolved around their liability, for both merchant activity and PCIDSS compliance, when they had completely outsourced their merchant processing to a third party.
Under the typical merchant services contract, the merchant of record is the responsible party -- for everything, including PCIDSS compliance. You can try to limit your liability by outsourcing your processing to a compliant third party processor, but in the end they are simply acting as your agent and you still have liability for them. This seemed to be a surprise to my colleagues, even though they had read the contract.
It is probably a good idea to take a few minutes to review your contract to confirm this issue. If you read it carefully, you will probably not find much, if any, discussion of third party service providers -- everything is framed in terms of your responsibilities to submit valid transactions, of proper amounts, for legal goods and services, in accordance with the card association rules, and so forth. In addition, your agreement likely requires you to indemnify the acquirer against any losses or liabilities arising from your service provider's actions or inaction.
You might also want to talk to your bank about being the merchant of record. In our discussions with our bank, they have always indicated that the "merchant of record" is the responsible entity (as well as their client) for everything, including PCIDSS compliance. If you are not the merchant of record, though, then it's not your problem -- at least according to our bank. I'm not sure that is the entire story, however, as it is very possible to take a hit to your reputation even if a third party is the merchant of record but processing transactions for your customers (say, an online event registration site processing registrations for one of your departments).
As can be inferred from the new SAQ A under version 3.0, even outsourcing everything to a compliant third party processer still requires:
- Confirmation of service provider compliance with the PCIDSS, as well as ongoing monitoring of that compliance
- Prohibition of the electronic storage of cardholder data
- Physical security of any cardholder data which may be held on paper
- Destruction of the cardholder data when no longer needed, if retained
- A security policy in place that covers cardholder data security, management of third party service providers, written agreements with service providers, and specification from the service provider about which PCIDSS requirements they manage and which are your responsibility
Joe Tinucci is the Assistant Treasurer at the University of Colorado, where he manages the University's banking relationships. As part of that job, he also drives the PCIDSS compliance process for approximately 160 card-accepting merchants across diverse card-acceptance environments in four campuses. Joe can be reached at (303) 837-2185 or firstname.lastname@example.org)