First a caveat; this blog is not aimed at all acquirers, nor is it aimed at every individual at any one acquirer, there are some very professional, knowledgable, and pragmatic acquiring banks out there who are providing excellent advice and guidance to their merchant base.
Then there are the others who not only seem to have no idea what they are talking about, but are actually making things actively worse in terms of both resource effort and overall expenditure for their merchants. This is suppose to be a program of APPROPRIATE security, not just compliance.
The latest, utterly inexcusable example of this is a Level 3 merchant I know who, wanting to do things properly, hired a QSA company to come in and help them prepare for the completion of their SELF Assessment Questionnaire (SAQ).
The first thing the QSA had to do was get the merchant to ask the acquirer which SAQ they wanted, as the acquirer had left that to the merchant. For those who don’t know, it’s the acquiring bank’s responsibility to determine the correct SAQ based on the merchant’s business processes and card transaction volume. The acquirer should NEVER point at a QSA for this decision, and should most certainly not be leaving it up to the merchant.
After spending a significant amount of time and money, this particular merchant completed 2 compensating controls, which were then required to be signed off by a QSA!! Are you kidding me!? It’s a SELF assessment!! You show me a QSA who will sign off on a compensating control without the context of a FULL Level 1 assessment or a million caveats and I’ll show an idiot.
Now try to imagine this merchant’s frustration when he knows another similar merchant had just filled out an SAQ by themselves, got an ASV scan, and received no questions from the same acquirer? The original merchant tried to do it properly, tried to ensure they could answer every question properly, and were even honest about the things they could not do. Their reward for this was additional expense getting another QSA to come in and help them translate the PCI rules back to the acquirer.
Here I am now 4 short weeks later and I have another merchant being told that the acquirer would “accept a SAQ D” for their reporting requirement. Bear in mind that this client is an e-commerce merchant who has implemented a full redirect to a PCI compliant service provider and you can again imagine the frustration. Add to this that the merchant, who will be reporting full compliance within a month, was also “encouraged” to complete a Prioritized Approach Tool spreadsheet as well, and the whole thing becomes a farce.
I have a lot of sympathy for acquirers, their PCI headaches are multiplied by as many merchants and service providers they acquire for, but this is no excuse to provide anything but the most pragmatic guidance as they can. PCI cannot be driven from behind a desk, and practical guidance can only come from those who have been in front of a client as a QSA. I can read a book on emergency appendectomies for example, but I would suggest you go to a real doctor.
Merchants: If you do want to do PCI properly, hire a good QSA or industry expert for ONE day to set the game-plan with your acquirer and your internal teams, then get on with it.
Acquirers; Hire ex-QSAs with good reputations to run your merchant-facing PCI Programs, you’ll save yourselves and your clients a Hell of a lot of pain.