I am working with a company that does not know what level merchant they fall into and I am not sure how to rank them as well.

If a parent company has multiple child companies beneath them how does one go about calculating the transactions? Is this based on Tax ID? Merchant ID?

Each of the child companies has a different Merchant ID so that the funds are allocated to the correct place.

Not all of the child companies process transactions through the same service provider agreement. Some use a stand alone POS pad to transmit directly to the acquirer while some use another system in which transactions are sent to a central server for batch transmission to a different acquirer and others use an Internet based transaction software where they enter CC information.



Any input would be greatly appreciated.

Marc

First, the tables that the card brands provide are just for reference as merchant levels are set by the acquiring bank and/or the processor. In some rare cases, the card brands themselves will set a merchant's level.

While the 'rule' is that organizations with separate, individual divisions (i.e., multiple DBAs) is to treat them separately, merchant levels for such organizations is up to the acquiring bank or processor to determine whether they are to be treated individually or together.

So, you need to talk to the acquiring bank(s) and processors to determine what merchant level the organization will considered to be and how many reports to file. If the organizations are considered separate, then the organization will likely have to file a separate report for each entity. However, the reporting requirements will also be dictated by the acquiring bank(s) and/or processors.

jbhall pretty much nailed it. I would add one additional thought. We have a similar situation in the Higher Ed world where a single college or university may have 50, 100, or several hundred merchant IDs. The key is not to confuse merchant ID with PCI reporting or SAQ. Some acquirers group together individual merchant IDs into a single SAQ based on their payment channel. The idea is that all these merchants pose the same channel risk so the channel is the key delimiter. For example, if 10 merchants use a single e-commerce platform, that would be one SAQ to cover all 10; if another merchant ID uses a different vendor, they may be their own SAQ. As jbhall said, it is up to your acquirer.

One suggestion I'd make is to look at your situation and propose a solution to your acquirer including SAQ suggestion(s). Try not to give them a blank piece of paper. ;)

Thanks for the input, it is very much appreciated.

Marc

I work in a business where we have over 1000 chip&pin terminals in different locations.

We are trying to limit the scope, so we can get PCI compliant as cheap as possible.

Now, these 1000 terminals, elivered by a major supplier on the European market, will basicly only receive an amount from the POS and send an ACK / NACK back, together with some digits from the card (first 8 probably, we are negotiating what we can get). All card processing is done in the terminal, that talks SSL directly to the payment processor.

How much documentation / verification do we need of these black boxes approved by the payment processor ?

Those "black boxes" as you describe them should be PCI PED certified and that is all that you need. You can confirm that they are certified at the PCI SSC Web site (https://www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html).

If your "black boxes" are not on this list, you should get a hold of the manufacturer and find out when they will be PED certified. If the manufacturer says they don't know what you're talking about or gives you the run around, then you need to move to PED certified devices.