This article has been written to support organizations that want to achieve PCI DSS Compliance and want to clarify some doubts about this standard.

Is there a list of PCI DSS compliant merchants?

The short answer is no. The long answer is also no. Despite Level 1 (the largest) merchants undergoing the same assessment, against the same controls, as Service Providers using a qualified assessor, there is no public listing to see which merchants comply with the Payment Card Industry Data Security Standards.

fotolia_52586618_PCI_DSS,_the_public_listings_and_how_to_get_there

Why is there no public listing of PCI DSS compliant merchants?

Well, what would be the point? Would a listing really influence where shoppers spend their money?

PCI DSS compliance for merchants is about ensuring that they have adopted the appropriate controls and processes to protect their customer’s card data.

What about Service Provider?

Validation of Service Providers’ compliance is dependent upon transaction volume; either validating PCI DSS compliance through an external assessment performed a Qualified Security Assessor (QSA) or completing a Self-Assessment Questionnaire.

For Service Providers that validate compliance using a QSA, the QSA is responsible for producing a Report on Compliance (RoC) and an Attestation of Compliance (AoC). There is no further assessment, challenge or review, a QSA’s say if final. The validated organisation is immediately deemed to be compliant, being able to demonstrate to their business partners and customers its alignment with the existing PCI DSS regulations.

PCI DSS compliant Service Providers may apply for entry to public listings maintained by the payment brands (Visa and MasterCard).

Visa defines two types of Service Providers:

MERCHANT AGENTS

Service Providers that directly or indirectly process, store or transmit payment card data on behalf of MERCHANT. For example, hosting providers, hospitality booking systems, ticketing systems and, more in general, anyone offering merchants those services related to payment card data though do not hold a direct relationship with an Acquiring Bank to process payments.

MEMBER AGENTS

Service Providers that directly or indirectly process, store or transmit payment card data on behalf of an Acquiring Bank (otherwise known as Visa Members Banks).

In order to identify Member Agents that should be listed, Visa requires that all merchants report all Service Providers that they work with and advise that merchants should only work with listed agents. The Member Agents can be listed in the "List of PCI DSS validated Member Agents" though in order to be listed, they must be registered as agents by a member bank (Acquirer) who sponsor the registration of the agent. Merchant Agents typically do not have any contract with Acquirer Banks. Merchant Agents may be listed in a separate portal (www.visamerchantagents.com) however the Merchant Agent will be charged for inclusion on the list.

Check out the latest Member Agents list provided by Visa Europe. If you read carefully you will find out that Advantio is the 2nd QSA in Europe according to Visa.

MasterCard does not make any specific distinction between types of Service Provider though asks for registration as Member Service Provider (MSP) through the MasterCard Registration Program (MRP). However, only an Acquiring Bank with direct relationship with MasterCard may apply to register Service Providers.

So if a QSA is required to validate compliance, what role does the QSA play in registration of the Service Provider?

Despite the QSA validating compliance for the organisation and producing the Report on Compliance and Attestation of Compliance, the QSA is not permitted to register or make a request on behalf of the Service Provider to the payment brands (Visa and MasterCard) for inclusion within their respective listing schemes. The QSA is limited to sending the scope of the assessment, Report on Compliance and Attestation of Compliance to Visa whilst MasterCard require only the attestation.

But, what happens when a Service Provider submits their registration to the payment brands

Once the necessary forms have been submitted, Visa reviews the submission to ensuring that there have been no clerical errors or omissions and MasterCard verifies that the Attestation of Compliance has been completed correctly.

Neither payment brand offers any challenge to the QSA or organisation about the selection or assessment of the assessed security controls or use of compensating controls. Since the QSA is not involved in the listing processes, the QSA does not have any involvement or control over the timing of updates and the publication of the Visa and MasterCard lists. Additionally, the payment brands may make their own clerical errors that the QSA is not responsible for. The QSA can only ever be responsible for the elements they control; the Attestation of Compliance and Report on Compliance. QSA organisations maintain Quality Assurance processes to minimise the potential for mistakes made by the QSA.

However, despite processes to ensure that the QSA’s submission is correct and sent to the payment brands in plenty of time for inclusion within the next update of the list, the payment brands may fail to update the list as anticipated, instead highlighting the Service Provider in Orange. If this happens, we suggest you to ask your QSA to contact Visa and/or MasterCard directly in order to verify the issue, but remember that if you have in your hands a valid Attestation of Compliance and the requisite Approved Scanning Vendor (ASV) results, you are already compliant with the Payment Card Industry Data Security Standards and you can prove it to anyone who would question!

Get your tasks in good order

Do you need assistance in getting yourself listed as a PCI DSS Validated Service Provider? Advantio is a PCI QSA. Our technical expertise we will enable your business to deal even with the most stringent compliance requirements.

Marco Borza

Written by Marco Borza

I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.

Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA