PCI DSS (Payment Card Industry Data Security Standard)

The Payment Card Industry Data Security Standard (PCI DSS) is a set of technical and operational requirements established by the major card networks (Visa, Mastercard, American Express, Discover, and JCB) to secure cardholder data throughout its lifecycle. Any organization that stores, processes, or transmits payment card information must comply with these standards.

‍

‍

‍

The Challenge: Why PCI DSS Compliance Remains Difficult

‍

Maintaining PCI DSS compliance presents several operational challenges for acquirers, payment service providers (PSPs), and merchant portfolios:

‍

• Scope creep in cardholder data environments: As businesses grow and add systems, the boundaries of where card data flows often expand beyond initial assessments, requiring constant re-scoping and validation.

‍

• Merchant compliance visibility gaps: Acquirers are responsible for ensuring their merchant base maintains compliance, but many small and mid-sized merchants lack the resources or technical expertise to implement required controls, creating blind spots in portfolio risk.

‍

• Validation fatigue and attestation drift: Annual Self-Assessment Questionnaires (SAQs) and quarterly network scans become checkbox exercises rather than substantive security reviews, leading to compliance drift between validation cycles.

‍

• Third-party and service provider dependencies: Merchants often rely on payment gateways, hosting providers, and other third parties, making it difficult to assess the full security posture across the data chain.

‍

• Enforcement inconsistency: While card networks set the standards, enforcement happens at the acquirer level, leading to variable interpretation and application of requirements across different acquiring relationships.

‍

‍

‍

How to Manage PCI DSS Compliance: Best Practices for Acquirers and Risk Teams

‍

‍

1. Establish Clear Compliance Validation at Onboarding

‍

Before activating a merchant account, verify PCI compliance status based on processing volume and integration method. High-volume merchants (typically those processing over 6 million Visa transactions annually) require an annual Report on Compliance (ROC) from a Qualified Security Assessor (QSA). Lower-volume merchants typically complete an SAQ corresponding to their integration type (SAQ A for redirect/iframe implementations, SAQ D for direct card data handling).

‍

Integrate PCI validation into your merchant underwriting workflows to catch compliance gaps before the merchant begins processing.

‍

‍

2. Implement Continuous Monitoring, Not Annual Snapshots

‍

Quarterly vulnerability scans are a minimum requirement, but we recommend continuous monitoring of merchant environments where feasible.

‍

This includes tracking:

• Changes to merchant websites and payment pages
• Expiration dates on compliance attestations
• Network scan results and vulnerability remediation timelines
• Changes in processing volume that may trigger higher validation requirements

‍

Automated merchant monitoring can flag changes in merchant infrastructure or business model that affect PCI scope before they become compliance violations.

‍

‍

3. Segment Merchants by Risk and Validation Requirements

‍

Not all merchants present the same compliance risk.

‍

Create a tiered approach:

‍

• Tier 1 (Highest risk): Merchants who store card data, process high volumes, or have direct integrations requiring SAQ D or ROC validation

‍

• Tier 2 (Moderate risk): Merchants using payment service providers but with some server-side processing (SAQ A-EP or SAQ D Merchant)

‍

• Tier 3 (Lower risk): Merchants using fully outsourced, redirect-based payment methods (SAQ A)

‍

Apply enhanced validation frequency and stricter remediation timelines to higher-risk tiers.

‍

‍

4. Maintain Attestation and Scan Evidence

‍

Acquirers must retain proof of merchant compliance, including:

• Completed SAQs or ROCs with Attestation of Compliance (AOC)
• Quarterly scan reports from PCI Approved Scanning Vendors (ASVs)
• Remediation plans for any failed scans or identified gaps

‍

This documentation is critical during card network audits and in the event of a data breach. We recommend centralized storage with automated expiration alerts.

‍

‍

5. Build Breach Response and Liability Management Protocols

‍

Despite best efforts, breaches occur.

‍

Establish clear procedures for:

• Immediate merchant suspension or restriction when a breach is suspected
• Coordination with card network forensic investigators
• Assessment of acquirer liability under the card network operating regulations
• Communication with affected cardholders and regulators as required

‍

The cost of a breach extends beyond immediate forensic and notification expenses. Card networks may impose fines, and the merchant may be added to the MATCH list (Member Alert to Control High-Risk Merchants), terminating their ability to accept card payments.

‍

‍

‍

Real-World Scenario: Multi-Merchant Portfolio Compliance Drift

‍

An acquirer onboards a software-as-a-service (SaaS) platform that enables its users (sub-merchants) to accept payments. At onboarding, the platform attests to SAQ D compliance and provides a clean vulnerability scan. Six months later, the platform launches a new feature allowing sub-merchants to store payment credentials for recurring billing.

‍

This change expands the cardholder data environment and may require upgraded security controls, yet the acquirer is unaware of the modification. A security researcher discovers a vulnerability in the new feature, exposing tokenized card data. The card networks hold the acquirer liable for the breach due to inadequate ongoing compliance validation.

‍

This scenario illustrates why continuous monitoring of merchant business models and technical infrastructure is necessary, particularly for platform and marketplace models where the merchant's service offering evolves rapidly.

‍

‍

‍

Why PCI DSS Matters for Merchant Risk Management

‍

PCI DSS serves as the foundational security layer in the payment ecosystem. While other risk management functions focus on transactional fraud, unauthorized activity, or prohibited goods, PCI DSS addresses the integrity and confidentiality of the payment credentials themselves.

‍

A PCI-compliant merchant environment reduces the likelihood of large-scale card data theft, which can fuel:

• Card-not-present (CNP) fraud across multiple merchants
• Account takeover attacks
• Synthetic identity fraud

‍

For acquirers and PSPs, maintaining a compliant merchant portfolio minimizes financial liability from breach remediation, card network fines, and reputational damage. It also supports compliance with regional data protection regulations such as the General Data Protection Regulation (GDPR) in Europe, which intersects with payment data security obligations.

‍

‍

‍

The Acquirer's Liability Position

‍

Under the card network operating rules, acquirers are financially responsible for breaches originating from their merchant portfolios. If a merchant experiences a data compromise and is found non-compliant with PCI DSS at the time of the breach.

‍

The acquirer may face:

• Forensic investigation costs
• Card reissuance fees charged by issuing banks
• Fines levied by the card networks (these can range from thousands to millions of dollars depending on breach scope)
• Increased interchange rates or other penalties

‍

This liability structure makes PCI compliance validation a direct financial risk control for acquiring institutions, not merely a regulatory checkbox.

‍