Ladies and Gents, I am trying to determine the how the following scenario would play out:

If a worldwide company owns multiple, distinct entities, and each of those entities have their own number of acquirers, would the merchant level be set at the worldwide level, or the distinct entity level?

How should the structure be reported to the acquirers and AMEX in order to fairly represent environment and be fairly assigned a merchant level?

Thank you for your advice.

The PCI level is likely going to be determined by the primary acquirer (if there is one) for each entity, or through discussion with the card schemes.

Or each entity could total up its payment card transacton volume and choose to undergo onsite assessment anyway if they feel appropriate. The acquiring banks won't penalise them if they have been more stringent in validating compliance.

Thirdly, on-site assessment and resulting RoC is less likely to run into the potential situation (likely or not) where one acquirer is not satisfied with the entity's SAQ.

And then there the complication of possibly completing and sending different SAQs to different acquirers due to different payment services/methods in use.

In my experience such a structure leads to at least one of the entities providing some form of PAN storage, processing or transmission and thus may be a service provider and hence should undergo an on-site audit.

lyalc

Technically, if each organization is their own legal entity (i.e., separately incorporated) under the umbrella of a holding company, then they are treated separately by the PCI DSS.

However, that said, as Lyalc points out, it's up to your acquirers, processors and possibly the card brands to determine this and give you the okay to report separately.

In most cases, they will treat your individual organizations as separate entities. However, I have seen instances where common systems were used by the organizations and the acquirers decided they should be treated all together as a single entity.

This is particularly true when one business has several merchant facilities with different acquirers e.g. retail stores, ecommerce, phone/mailorder, and countries.

lyalc

Given the complexity of the situation you describe, I'd add a suggestion. Contact each acquirer and get them to give you a list of all merchant IDs and summary of payment card transactions they processed by brand for the past year. The idea is that your situation is complex, and you could easily be missing something. At least these reports will give you an idea of merchants, volumes, and payment channels. I'm working with a multi-country merchant now, and doing such a payments analysis gave us a good handle on the size and scope of the effort.

I am currently assisting a large university with their compliance efforts and they have literally hundreds of faculties and non-academic service departments that accept payment cards and need to comply with PCI-DSS. There are 9 or 10 different acquirers and dozens of different payment processors. Accordingly, I'm not clear how they could be lumped together as one merchant, have one SAQ or onsite assessment and satisfy all of the different security program requirements. In a similar way, if any one of them cannot comply for some reason, or fell out of compliance, then all of them would become classified as 'non-compliant'. HHHmmm!!!

I am currently assisting a large university with their compliance efforts and they have literally hundreds of faculties and non-academic service departments that accept payment cards and need to comply with PCI-DSS. There are 9 or 10 different acquirers and dozens of different payment processors. Accordingly, I'm not clear how they could be lumped together as one merchant, have one SAQ or onsite assessment and satisfy all of the different security program requirements. In a similar way, if any one of them cannot comply for some reason, or fell out of compliance, then all of them would become classified as 'non-compliant'. HHHmmm!!!

This is where the card brands typically get involved if any one or more of the processors go to any of the card brands to get a determination on whether or not the merchant should be treated as a single entity.

The way to deal with this is to be proactive and talk to all of the processors and get them to agree en-mass to separate ROCs/SAQs.

I am currently assisting a large university with their compliance efforts and they have literally hundreds of faculties and non-academic service departments that accept payment cards and need to comply with PCI-DSS. There are 9 or 10 different acquirers and dozens of different payment processors. Accordingly, I'm not clear how they could be lumped together as one merchant, have one SAQ or onsite assessment and satisfy all of the different security program requirements. In a similar way, if any one of them cannot comply for some reason, or fell out of compliance, then all of them would become classified as 'non-compliant'. HHHmmm!!!

I work with many higher ed institutions on PCI, and I agree the situation is complicated. Yours, however, sounds particularly rough: while it is not unusual to have many merchant IDs including student organizations, faculty (conferences, pubs), and affiliates (from parking lots to whatever), it is unusual to see their treasury operation so out of control. Usually there is one acquirer, or at least one main one.

Like Jeff said above, it will be up to the acquirer(s). I'd start with making sure you know who they all are. After your payments analysis, I'd suggest proposing an approach. If the school has a couple of common platforms (POS, ecommerce), then try to lump all the merchants using those in to single SAQs by platform (assuming you are not dealing with any L1 merchants, which is likely). The acquirers should agree since the platform or channel is the source of their risk. Long term, I'd work with their treasurer to get some policies and rules in place so the school focuses it's business -- better control and possibly a lower price, too.

Lastly, get the school to go to the Treasury Institute for Higher Education's website for help including their PCI Workshop in May (and yes, that was a shameless plug since I moderate the workshop ).

Thank you all for your very detailed, and helpful responses. I will meet with the acquirers, as recommended, and work with them to determine next steps.