PCI Compliance

Non-Compliant Service Providers Put You at Risk!

When we talk about PCI DSS compliance, the conversation usually centers on the need for merchants to be up to code. There’s another part to this equation, however, that tends to be conspicuously overlooked: the compliance of any service providers with whom merchants contract.

Outsourcing tasks to service providers, vendors, and other third parties can help merchants operate more efficiently, saving them time, money, and energy. Merchants need to exercise due diligence when researching service providers, however, to ensure that the relationship doesn’t become more of a liability than an asset.

What Are Service Providers? Why Does It Matter?

Service Provider

[noun]/* sur-vis pruh-vahy-der /

Service Provider is any group that stores, processes, or transmits cardholder data on a merchant’s behalf.

Under card network regulations, a service provider is any group that stores, processes, or transmits cardholder data on a merchant’s behalf. For these entities, PCI DSS implementation is mandatory … but validation of compliance is not. As a result, service providers may only be compliant with certain aspects of the regulations, while some may not be PCI DSS compliant at all.

But many data breaches originate with a service provider rather than the merchant. This can become a nightmare for merchants, particularly when high-profile breaches arise: regardless of where the breach occurred, the merchant will still take the bulk of the blame from customers.

PCI DSS Requirement 12.8 mandates that merchants monitor their service providers’ compliance and accept responsibility for it. This includes everything from your web hosting service to shopping cart platforms and antifraud tools. While that sounds fairly straight forward, the situation is often complicated by the fact that service providers themselves may outsource to other service providers, much like a sub-contractor.

Merchants and their service providers can follow every regulation internally, but if even one provider in the chain is not compliant, then neither are the businesses that work with them. Despite the best of intentions, merchants frequently don’t know about PCI DSS noncompliance issues until it’s too late.

How Do I Verify PCI DSS Compliance?

First, merchants should maintain a current list of all the service providers they use—and make sure this information is also sent to their acquiring bank. That acquirer then registers each service provider with Visa and Mastercard, who in turn use the information to identify potential breaches.

Beyond keeping up-to-date on all service providers, the key to ensuring PCI DSS compliance on the merchant’s end is an Attestation of Compliance (AOC). Merchants can request an AOC from their service providers at any time.

As mentioned above, validation is not always mandatory, so service providers may respond that they are not required to verify compliance because of their relationships with other businesses. In these situations, merchants may request an AOC from that business’s relevant service providers.

It takes a bit of effort on the part of the merchant, but the result is worth it. In basic terms, if a validated and registered service provider is used, the merchant won’t be liable for any breaches involving that business. The merchant would still need to reimburse victims of fraud, but would be absolved by the PCI Security Standards Council and not fined for failing standards.

Which PCI Level Are Your Vendors?

PCI compliance for service providers is split into two different levels. Many service providers are Level 2 compliant, which gives them limited authorization to handle sensitive customer data. Level 1 compliance, however, demands much stricter security standards and is far less common.

Level 1 involves on-site audits by a Qualified Security Assessor. QSAs are expert security professionals trained in the complex PCI DSS regulations. Auditing by a QSA is a lengthy, complicated, and expensive process, but it’s necessary to ensure total compliance with the highest security standards. Without this in-depth verification, merchants’ customer data is at risk of being compromised by a service provider’s inadequate security protocols.

Is Chargebacks911® PCI DSS-Compliant?

Chargebacks911 is entirely PCI DSS Level 1-compliant.

We regard the security of our clients to be one of our highest priorities. To protect our customers—and their customers—our facilities undergo a regular, meticulous audit process designed to ensure consistent compliance with these standards. All employees receive training in proper data security behaviors and are required to adhere to security best practices.

Our servers, software, and internal practices are designed to maintain PCI DSS compliance. Use of our turnkey solution means that merchants never need to worry about PCI DSS regulations impacting their approach to chargeback mitigation. We offer an innovative suite of individual products, each component of which adheres to rigorous PCI Level 1 security standards:

• Intelligent Source Detection: Used to identify previously concealed chargeback sources.
• Merchant Compliance Review: A 106-point review of business best practices compliance.
• Chargeback Alerts: Interception and prevention of chargebacks before issuance.
• Affiliate Fraud Shield: Tracking of affiliate ad campaigns to detect and prevent fraud.
• Tactical Representment: Expert handling of chargeback disputes with a guaranteed ROI.

Don’t take responsibility for your service provider’s missteps. Chargebacks911—along with all the services and industry integrations we contract—is your resource for PCI DSS-compliant chargeback mitigation.

Protect yourself and your customers by requesting more information below.