Blog

PCI compliance for acquiring financial institutions

April 3, 2014 by Kevin Christensen — Vice President, Audit, SHAZAM

In my last post, I took a look at the question, "Does our financial institution need to be PCI compliant?" While the short answer is yes, the long answer is that validation of compliance often is not required.

However, for FIs with merchant programs, the compliance team has quite a bit more responsibility than the average card issuer.

As an acquiring FI, the community bank or credit union is ultimately responsible for the activities of its merchants. Therefore, it's a best practice for these FIs to implement a risk-based program that allows merchants to be actively involved in the protection of their customers' data.

For Shazam clients who act as acquiring FIs, we have implemented a tool that allows merchants to self-assess their compliance. The results of this self-test are then visible to the FIs, who can review the outcomes and follow up with the merchants if necessary.

This usually works well for smaller-volume merchants. For merchants with greater transaction volume (more than 500,000 annually), the FI should consider a more active review.

External validation requirements (by a qualified service assessor) are not required for any merchant until they process more than 6 million transactions annually. Of course, the system is far from perfect, as we recently saw when several large merchants validated as PCI compliant still proved vulnerable to attack.

Taking the subject of PCI compliance one step further, it's important to know that any service provider the FI does business with must be formally validated as PCI compliant each year if that provider processes more than 300,000 branded transactions annually.

FIs should document the PCI compliance of all service providers. Shazam keeps this documentation readily available to customers at the audit and compliance tab of our website.