Acquirer PCI Compliance Responsibility

Currently, under PCI DSS 1.1, the emphasis of compliance is on the Level 1 and Level 2 merchants.

It's up to the specific acquirer, along with the issuing credit card company, to educate and enforce their merchants, vendors, service providers, or any entity that stores or processes credit card data, to comply and validate PCI DSS and CISP standards.

If you are a merchant, vendor or service provider reading this information for the first time, it might be time-or past time-to question and contact your acquirer and credit card issuer.

To take it one step further, in 2006, Visa levied $4.6 million in fines, up from a 2005 total of $3.4 million, to its acquirers.

PCI DSS 1.1 sets an enforcement date for acquirers to validate PCI compliance for Level 1 and Level 2 merchants.

The enforcement dates are as follows:

• Level 1 Merchants-Enforcement date: September 30, 2007
  
  
• New Level 1 Merchants-Enforcement date: One year after identification as Level 1
  
  
• Level 2 Merchants-Enforcement date: December 31, 2007
  
  
• New Level 2 Merchants-Enforcement date: September 20, 2007
  
  
• Level 1 and 2 Merchants-Prohibited Data Retention Attestation form, or Confirmation of Report Accuracy to acquirer by March 31, 2007
  
  
• Level 3 Merchants-Contact acquirer or credit card company.
  
  
• Level 4 Merchants-Must have compliance plan submitted, via acquirer, to Visa by July 30,2007.

For PCI compliance only, the acquirer will be fined between $5,000 dollars and $25,000 dollars per month for each Level 1 and Level 2 merchant who hasn't reached PCI compliance and PCI/CISP validation by September 30 and December 31, 2007.

As of March 31, 2007, if an acquirer has a Level 1 or Level 2 merchant who is still retaining full-track data, Card Verification Value (CVV2) or PIN data after the transaction authorization, Visa can fine the acquirer up to $10,000 a month per merchant, if progress toward compliance is not made in a timely manner.

According to the Visa Web site, Level 1 and 2 merchants must validate that prohibited data is not retained subsequent to authorization by submitting a completed Prohibited Data Retention Attestation form or Confirmation of Report Accuracy form to their acquirer by March 31, 2007.

                    

Print this page

Send this page to a friend

PCI DSS: 5 Guidelines for Gaining PCI Compliance Step 1: An Introduction to PCI Compliance PCI Compliance Introduction Who Put the DSS in PCI? Step 2: Finding The PCI DSS Merchant, Service and Compliance Level Should Your Organization be Concerned about PCI Compliance? PCI DSS: The Visa CISP Program MasterCard SDA Program Defining Merchant Validation Levels Level 4 Merchant Compliance Visa PCI CAP Program Defining Service Provider Validation Levels Acquirer Responsibility Calculating Merchant Transactions PCI DSS: Visa and MasterCard Quick Reference Guide Step 3: Attaining PCI DSS Compliance-Merchant Security Audits: 12 Requirements Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Step 4: Finding a PCI DSS Approved Scanning Vendor (ASV) Do You Need an ASV? Merchant and Service Provider Scanning Requirements Compliance Reporting Visa and Compliance Reporting MasterCard and Compliance Reporting Step 5: Completing the PCI DSS Self Questionnaire Completing the PCI DSS Self Questionnaire PCI Compliance Polls Are you currently PCI Compliant? Yes No Working towards compliance Why are you looking at PCI Compliance Required By Credit Card Processor Required By Bank Want to meet industry standards Looking to secure network What merchant level do you fall under for PCI Compliance? Level 1 Level 2 Level 3 Level 4 I have no idea View PCI Merchant Level Results View All PCI Compliance Poll Results EV SSL Certificate Guide Sponsored Listing: