Any business that accepts credit or debit cards must comply with the Payment Card Industry Data Security Standard (PCI-DSS). Managed service providers (MSPs) can play a key role in helping these businesses achieve and maintain compliance. And selling PCI-DSS compliance to clients can be a complex yet lucrative opportunity for service providers.
The business that owns the merchant ID — issued by its payment processor — is contractually responsible for reporting PCI compliance. That’s according to Chip Wolford, managing director of Protiviti’s technology consulting practice.
“While individual compliance requirements can be shared with an MSP, the entity always retains some level of reporting obligation, because they are viewed as accountable for the security of those transactions,” he noted.
Chip Wolford
Organizations can share or even transfer most of the risk to their MSPs. But if they own the merchant ID, they must still report whether they managed account data according to secure standards, Wolford added. “This makes the choice of an MSP critical because you are ultimately placing a responsibility you will be held accountable for in the hands of another party.”
Additionally, if there is an instance of noncompliance or a breach of their customer’s account data at the MSP, fines and penalties flow from the card brands and financial institutions to the business first.
Even if the MSP is at fault, the business still faces the financial and legal consequences of the MSP’s actions — though legal recourse may be available. Both parties likely could suffer reputational impact.
Understand Attestation of Compliance
Merchants should ask their MSPs if they have an Attestation of Compliance (AoC). Without it, many merchants may choose not to work with them, said Kyle Hinterberg, senior manager at LBMC, an audit, accounting, and advisory firm.
MSPs either obtain their own AoC or participate in a merchant’s PCI-DSS assessment to prove that the services they provide meet compliance standards, he said.
Kyle Hinterberg
For example, if a merchant is using an MSP to manage its firewalls, the MSP can show the AoC. This demonstrates that the MSP meets a set of requirements. MSPs implement network security controls, primarily firewalls, to help merchants achieve compliance for that portion of their environment, Hinterberg said.
“If an MSP has a lot of clients that worry about PCI, it can be beneficial to go through a PCI assessment,” he said. “Otherwise, every week, they’re jumping on calls, answering questions from clients for their assessments.”
A key factor any merchant should consider when engaging an MSP is clear and specific communication on the shared responsibility for maintaining compliance. This should include contractual compliance obligations, such as PCI-DSS, Wolford said.
This goes beyond simply having language in your contract that acknowledges a responsibility to maintain compliance, he noted. Merchants should expect clear definitions of which compliance responsibilities apply to technology, processes, staff, and data flows. This helps both parties understand who is accountable for each aspect of PCI-DSS compliance, he added.
Key Considerations For MSPs
Because PCI compliance can be a complex process, MSPs may be hesitant to extend a formal PCI attestation of their services further than they feel they have control, Wolford said.
It is difficult to determine who is responsible for compliance, but it can be simple. “The concept of control and responsibility can be tricky,” he said. “An easy way to think about it is who has privileged access to a system.”
This often leads MSPs to draw a line, offering support to help clients achieve compliance rather than formally attesting to it. It is ultimately the merchants’ responsibility to validate this as part of their own compliance reporting process, Wolford said.
PCI-DSS often gets a bad rap since people think of it as a minimum bar of compliance, Hinterberg said. But when looking at the different DSS requirements, much of it is good common-sense security. “It’s a decent framework in general,” he stressed. “If you as an MSP think you’re doing good security, you should be able to” follow the requirements under DSS. “It’s going to make you better as an organization.”
The PCI Security Standards Council (SSC) has published plenty of guidance to support MSPs and merchants on how to understand their requirements, Wolford added. “It is time-consuming to read and attempt to understand all of this. Thus, the certified Qualified Security Assessors (QSA) exists, to support entities undergoing PCI attestation.”
The good news: More merchants are choosing to transfer PCI compliance responsibilities to MSPs, he said. This trend likely will continue, he added. “It makes sense. Many MSPs specialize in providing these services and can focus programs, resources, and more technical security measures as part of the services they provide to their customers.”
Compliance as a Competitive Advantage for MSPs
Ultimately, PCI-DSS compliance is not just a regulatory requirement; it’s a business imperative.
MSPs that invest in formal assessments, clear communication, and strong security practices can position themselves as trusted partners in their clients’ long-term success.
How to Position PCI-DSS Compliance as a Long-term Business Investment
The more compliance requirements MSPs are responsible for, the more complex their obligation, said Wolford. Here are some steps service providers can take to be taken seriously by merchant clients:
- Obtain a formal PCI AoC that is validated by a Qualified Security Assessor (QSA). This signals that an entity has been independently verified to be PCI compliant for the services they are advertising.
- Recognize that PCI represents a meaningful achievement in data security compliance.
- Maintain clear communications on your website that explain your position on data security and privacy. Demonstrate to your clients that you have thought through the shared responsibility model for security and how you can assist them.
Featured image: iStock
