Though using a third party payment processing provider will relieve an SME of the need to keep its in-house systems and procedures compliant with the code, it doesn’t negate the SME’s responsibilities under the code. In other words, as the PCI Council has recently confirmed, if your payment processing provider isn’t doing its job properly, then you could be liable.
Guidance to vet your payment processing provider
Fortunately, the PCI Council doesn’t simply make this ruling and then leave smaller companies hanging out to dry. It produces a guidance document (available from its website) which explains all the responsibilities that SMEs must undertake, and how they can make sure a payment processing provider is doing likewise.
The guidance covers a number of areas, including:
- Determining the scope of your requirements of the payment processing provider
- Undertaking the due diligence of the payment processing provider
- Documentation involved in engaging the services of a payment processing provider
- Guidance on monitoring and measuring PCI DSS compliance
Three things to do now to ensure your payment processing provider is PCI DSS compliant
The PCI Council guidance produces a full checklist of PCI DSS compliance requirements, but here are our three most important things to do. By putting in a timetable for these, you should ensure you are within the code with your payment processing provider;
- Once a year, complete a risk assessment on where the card data is handled
- Make sure you regularly have sight of current evidence of third party provider PCI DSS compliance, and their certificates of registration
- Ensure your internal processes relating to third party applications adhere to guidelines provided by the payment processing provider and are, themselves, PCI DS compliant
Remember, when you use a payment processing provider you won’t pass on the obligation of being PCI DSS compliant; but you will pass on all the responsibilities and costs of remaining up-to-date with the code and putting these into practice.