‘Ask a QSA’ has received a number of queries recently, the below question is somewhat unusual but is something that will resonate with some of our clients. Seasoned QSA, Natasja Bolton stepped up to the challenge.
Do acquirers need to be listed as a service provider in Part 2f of the SAQ or included in the merchant’s fulfilment of Requirement 12.8?
Natasja Bolton, Acquirer Support Manager
In helping merchants complete their Self Assessment Questionnaire (SAQ) the Sysnet Contact Centre and our QSA team are often asked this question whether the merchant’s acquirer needs to be listed as a service provider in Part 2f of the SAQ or included in the merchant’s fulfilment of Requirement 12.8 (service provider management).
Conveniently the PCI SSC has published an FAQ that answers this very question;
Are acquirers considered service providers for the purpose of PCI DSS Requirements 12.8 and 12.9?
Service providers include business entities that are not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This includes organizations providing acquiring services – for example, payment gateways, PSPs, ISOs etc.
However, an entity that acquires a merchant’s payment transactions and is defined by a payment brand to be an acquirer is not considered a service provider for that particular merchant’s PCI DSS compliance for the purpose of Requirements 12.8.
If the acquirer provides other services to the merchant, for example management of the merchant’s payment terminals, then the merchant and acquirer should work together to understand which party is responsible for managing the applicable PCI DSS requirements for the services provided.
Whether acquirers are required to validate PCI DSS compliance, including Requirement 12.9, is determined by the individual payment brands
This FAQ leads us to conclude that an acquirer, if acting as a provider of services to a merchant (e.g. as a ‘merchant agent’ or ‘merchant servicer’), should be considered a service provider in scope for Requirement 12.8.