Who is the acquirer?
It's a basic question, yet for merchants new to PCI compliance in general, the name 'acquirer' may mean several different things.
For some, it means the 'acquiring bank,' which is also known as the 'member bank.' The member or acquiring bank is the bank that underwrites and issues the credit card from the card associations to acquirers and ISOs. The member bank is just that: a member of the card association-the card association that gives it's approval and permission for that bank to issue cards with the Visa, MasterCard, Discover or American Express logo.
But an 'acquirer' usually refers to the entity-usually a credit card processor--that provides credit card processing services for Visa, MasterCard, AmEx and Discover receipts collected by merchants, directly or through an affiliated ISO.
Moreover, another layer of merchant confusion comes in because there are times when an ISO is considered an acquirer as well, or, in the case of a company like North American Bancard, a Super ISO-an entity that takes the liability responsibility on, that the acquirer would usually take on for the ISO.
The member bank/acquiring bank receives funds from a cardholder when a credit card transaction is completed, and deposits the payment amount, minus any fees, into the merchant's Merchant Account and from there into his business checking account.
From a merchant perspective, knowing the acquirer may be a rather confusing question to even ponder, but it falls to the acquirer to make sure merchants, no matter their level, become compliant.
With these new directives in place, it's incumbent upon the acquirers take their own steps to ensure that they understand what their merchants, ISOs and, in some cases, third party vendors need and to make their merchants understand the PCI compliance process completely.
ISOs and the acquirer
According to an article entitled, "PCI Demands the Attention of Acquirers Now More than Ever Dramatic Non-Compliance Puts ISOs and Acquirers at Risk," in the May 2007 online edition of "The Exchange" newsletter from the Strawhecker Group-a management consulting company focused exclusively on the merchant acquiring sector of the payments Industry-the relationship between an ISOs and acquirers is very important.
"The liability for non-compliance, when a merchant is breached and/or compromises sensitive data, lies on the acquiring institution; typically, this is passed on to the ISO providing Merchant Services and by that ISO onto the merchant themselves," wrote Cliff Gray, a PCI expert and associate with The Strawhecker Group.
"Considering that the vast majority of Tier 4 merchants are signed by ISOs, it's imperative that these ISOs take a stronger stance at ensuring their merchants comply."
To strengthen the alliance between the ISO and acquirer, Gray offered the following step for moving toward PCI compliance.
"ISOs should carefully review their contract(s) with their sponsor acquirer, to understand exactly what liability they bear upon the event of a merchant breach."
Greenberg and Richard Stanton, chief technology officer and founder of ControlScan -a leading PCI assessor, who works with US acquiring institutions, merchants, ISOs, weighed in on certain steps that acquirers should take in order to facilitate PCI DSS Compliance for their merchants.
Print this page
Send this page to a friend
Who is the acquirer?
Step 1: Engage all internal resources
Step 2: Acquirers and ISOs-Identify and partner with a qualified ASV and/or QSA
Step 3: Engage all external resources to make your merchants aware of PCI Compliance
Step 4: Supply the tools that the merchant needs for PCI compliance
Step 5: Implement and maintain a proper tracking and reporting system
Other considerations for acquirer and third-party provider back-end best practices