Managing the Compliance process in PCI Level 1, 2 & other strategically important merchants


by Paul Prior, SVP Client Engagement


VISA Inc, in a bulletin issued the middle of last year outlined enhancements to their PCI DSS Enforcement Plan for merchants and service providers. The plan defined a structure of escalating consequences for entities either with expired PCI DSS Compliance or those who have never demonstrated PCI DSS Compliance.


The enforcement plan is to address gaps in compliance rates, particularly among Level 1 and 2 merchants and service providers, and is positioned as:

“Visa encourages clients to work with their non-compliant or overdue Level 1 and Level 2 merchants and service providers immediately to either obtain validation documentation or a remediation plan”




Webpage URL

Find out more about our PCI DSS compliance services by clicking the button below


As part of the enforcement plan Visa, Inc. began noncompliance assessments on 1st January 2015, and fines will be applied for non-compliant or overdue Level 1 and Level 2 merchants and service providers without a remediation plan.


At present with over 200 days passing since this date, many non-compliant entities and those who have not renewed their compliance in 2015, are liable to the fine structures outlined in the PCI DSS Enforcement plan.


Working with some of the top merchant acquiring companies in the world over the past number of years has given Sysnet a deep insight into how they manage the PCI DSS compliance status and associated reporting requirements.


It is our experience that many acquirers will be struggling to manage the reporting of the compliance status of these types of entities and we have identified a number of key areas that are routinely the cause of operational inefficiencies and significant administrative overhead within these organisations.

Gathering and collating data

One of the main issues is gathering and collating data. The data acquirers need to manage the compliance process and fulfil the reporting requirements is often dispersed and decentralised. Every merchant has their own unique set of demographic information, compliance data, historical activity, and validation cycle.


Given the nature of the relationship between the acquirer and these entities, communications and interactions are often funnelled through a single channel, typically represented by an individual account or relationship manager.


This creates communications challenges for the compliance manager. The process can be manual, time consuming, leads to wasteful work-practices and frequently creates an unacceptable time-lag between communication and response. The result of this is inaccurate and out-of-date reporting.

Difficulties with monitoring

In many cases the compliance manager has no way to monitor whether or not this process is functioning efficiently and a lack of centralised management of communication causes some entities to be harassed while others are not contacted at all!


While the aforementioned issues undoubtedly represent inefficiencies, they are potentially exacerbated in the event of an Account Data Compromise (ADC). Managing the incident response, forensic investigation and reporting processes associated with an ADC create a whole separate set of manual processes and administration tasks.


In driving higher compliance rates and meeting the requirements of Visa’s enforcement plan, acquirers should be analysing internal business processes that:


  • provide a pragmatic approach to merchant compliance management, and in doing so reduce the likelihood of non-compliance assessments;
  • increase efficacy in programme execution by facilitating high compliance rates resulting in lower risk exposure;
  • reduce the time required for compliance management and administrative tasks and improve transparency, consistency and accuracy of communications and reporting.

To learn more about our solutions or for more information about our services, please visit Sysnet.air or email


Like this Article?

Subscribe to receive more tips & news about Cyber Security, Compliance and a lot more!

  • Sysnet Global Solutions will use the information you provide on this form to be in touch with you regarding non-promotional as well as promotional material by email and phone. If you agree to same, then please select the ‘I consent’ box after reading the terms and conditions listed below in relation to consent. You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, update your preferences for communications, content etc. by clicking on the update my preferences button in any email we send you or by contacting us at We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms. We use Pardot as our marketing automation platform. By clicking below to submit this form, you acknowledge or agree that the information you provide will be transferred to Pardot for processing in accordance with their Privacy Policy and Terms