Who needs to be compliant with the Payment Card Industry Security Standards Council standards? Well, the default response is usually – anyone who stores, process, and transmits card holder data. There is constant discussion on pre-auth / post-auth / banking partners / etc..
A recent question I received was … Do ISO (Independent Sales Organizations) need to be compliant with PCI DSS?
This is a great question because it brings into the forefront the Third Party Providers. While the classic response – “it depends” applies generically, let me elaborate and provide where it DOES exist.
According to Visa’s website, an ISO for this definition is also more broadly classified as a “Third Party Agent”. Specifically here are the various functions that can be performed (This is key for eliminating the it depends statement from your situation):
A TPA can perform any or all of the functions of an: Independent Sales Organization (ISO), Third Party Servicer (TPS), Encryption Support Organization (ESO) and Merchant Servicer (MS). Each function performed by the TPA must be registered by each Visa client that is utilizing those services. TPA functions that require registration include but are not limited to:
- Merchant or cardholder solicitation activities and / or customer service — these are performed by an ISO
- Prepaid program solicitation activities and / or customer service — these are performed by an ISO
- Loading or injecting encryption keys into ATMs, terminals or PIN pads — these are performed by an ESO
- Loading software into an ATM or terminal — these are performed by an ESO
- Storing, processing or transmitting Visa account numbers — these are performed by either a TPS or a MS
- Deploying and / or servicing ATMs – these are performed by an ISO
Beyond registration requirements, all service providers – need to be compliant, as it is the acquiring banks liability if they are not.
Both issuers and acquirers must use, and are responsible for ensuring that their merchants use, service providers that are properly registered with Visa. Where applicable they must also ensure that all such entities are compliant with the PCI DSS and PCI PIN. Although there may not be a direct contractual relationship between merchant service providers and acquirers, Visa acquirers are responsible for any liability that may occur as a result of non-compliance.
In addition, Visa has provided enhanced clarification in their list of ISOs (published 7/15/2010) that lists registered organizations. The document states that “entities utilizing this list should perform their own additional due diligence to ensure that the service prover is also compliant with any additional requirements that the entity may have in place.”… “Entities that store, process or transmit cardholder data must be registered with Visa and validate PCI DSS compliance.”
There are certainly relationships that may provide exceptions, but the process above shows that if you store, process, or transmit card holder data – proper security and compliance (and Validation where appropriate) with PCI DSS is necessary.
James DeLuccia IV