Society of Payment Security Professionals Forum  

Go Back   Society of Payment Security Professionals Forum > Discussion Groups > PCI DSS Q&A
Reload this Page Gateway/Processor Compliance Criteria
Register FAQ Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 02-05-2007, 03:51 PM
Axel Gromann Axel Gromann is offline
Junior Member
  
Join Date: Feb 2007
Posts: 3
Default Gateway/Processor Compliance Criteria
Basic outline: A third party processor/gateway transmits encrypted data on behalf of a client without being affiliated to merchant, merchant bank or cardholder's bank. I.e.: We are looking at this service as a product/black box approach that simply offers data transmission to one or mor eclients.

The encrypted transmission segment has to be compliant because it handles/transmits credit card data.

Questions reaised:
- How to best go about third party compliance while engaged with your client --> I.e. how to make it as painless and efficient as possible
- Given that the gateway/processor segment or service does not touch upon all the PCI requirements in the scope of their service, how should one best go about ensuring their compliance and manage limiting the scope, if at all?

Thoughts?
Reply With Quote
  #2  
Old 02-05-2007, 05:08 PM
admin admin is offline
Administrator
  
Join Date: Feb 2007
Location: San Francisco, CA (USA)
Posts: 29
Default
Axel, I'm curious if the third-party processor is both accepting and transmitting or just transmitting on behalf of the merchant. You said they are not affiliated with the merchant so I'm not certain how they obtain and process transactions for them.

If a third-party is both accepting and transmitting transactions on behalf of the merchant, then the merchant does not need to be PCI compliant as they never touch credit card data. If the third-party is using their own merchant ID there is nothing for the merchant to do. If the third-party is using the merchant's merchant ID then the merchant will need to validate the third-party is PCI compliant and maintain contracts stating such.

If a third-party (gateway/processor) is only transmitting the credit card data on behalf of the merchant, the merchant must validate that the third-party is PCI compliant with the requirements that apply to them. If the third-party accepts credit cards on behalf of the merchant then all of the PCI requirements will apply to them.

If a third-party is a gateway or processor they need to be fully PCI compliant. This means meeting all of the PCI DSS requirements. Limiting the scope is secondary to them needing to fully comply with the standard.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 05:31 AM.

Contact Us - Society of Payment Security Professionals Forum - Archive - Top

Copyright (c) The Aegenis Group, Inc.