PCI DSS Compliance: Avoid Fines and Lawsuits | GBAF | GBAF

PCI DSS Compliance: Avoid Fines and Lawsuits | GBAF | GBAF

Editorial & Advertiser disclosure

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Business > PCI Compliance – What every card-accepting merchant should know

PCI Compliance – What every card-accepting merchant should know

Published by Gbaf News

Posted on April 9, 2013

5 min read

Last updated: January 22, 2026

Rob Crutchington discussing PCI compliance for card-accepting merchants - Global Banking & Finance Review — Rob Crutchington, Director of Encoded, addresses PCI compliance challenges faced by card-accepting merchants in protecting customer data from fraud and security breaches.

By Rob Crutchington – Director of Encoded

Rob-Crutchington It is fair to say that most card-accepting merchants understand the importance of protecting customer data from fraud and cybercrime. However, it might be news to many that in the event of a security breach they will be the ones fined. The buck stops with the merchant. Costs and expenses can quickly add up with payment network fines and assessments, forensic fees associated with a compliance audit of the merchant’s business environment and legal fees. Not to mention the damage to reputation and lost sales.

A recent report* based on a survey of 2,035 online consumers stated that nearly half (45%) of respondents saw contact centres in particular as the biggest security risk and the starting point for fraud. Findings also showed that many millions of consumers have been stopped from making purchases over the telephone when interacting with a call centre.

But surely the Payment Card Industry Data Security Standard (PCI DSS) takes care of all of this? When Visa®, MasterCard®, JBC®, Discover® and American Express® created a standard made up of 12 requirements designed to secure business systems that store, process or transmit card holder data it was meant to protect consumers and merchants against security breaches. However, what many organisations with call centres do not appreciate is that because PCI DSS covers the entire trading environment, all third-party partners and vendors that handle card data must also comply before full PCI compliance is achieved.

Visa Europe Merchant Agents List
So which third-party partners and vendors are fully PCI DSS compliant? Payment schemes are building lists of registered Third Party Vendors that can demonstrate adequate levels of data security and acceptable business practices. For example VISA has its Visa Europe Merchant Agents List http://www.visamerchantagentslist.com/ and merchant services organisations such as Elavon are insisting that only organisations which appear on this list are used by customers. This means any company involved in accepting transactions, interactive voice response (IVR) payments, internet payment gateways and any other service or product that is directly or indirectly involved in data transactions must register and appear on the list. Contact-centres typically use multiple vendors for their technology so it is becoming increasingly important for management to understand just who does what in the process and who needs to be PCI compliant to avoid fines and lawsuits in the event of the unthinkable happening and customer card data being stolen.

Not all PCI third-parties are created equal
The Visa Europe Merchant Agents list has two levels of organisations that provide services to merchants. These two levels have very different validation procedures. To achieve the top level of compliance, Level 1, an Attestation of Compliance (AOC) is needed and this level only applies to organisations that store, process and/or transmit more than 300,000 Visa transactions per year.

To achieve Level 1 status an Attestation of Compliance must be completed by an independent Qualified Security Assessor (QSA) along with a Report on Compliance. QSAs cost money and have very exacting standards. The high cost of going through full PCI DSS accreditation with an external QSA is leading to some vendors claiming to be compliant when in fact they have not been through the whole process and therefore do not have Level 1 status. This is putting merchants at risk.

For Level 2 registration organisations do not require an onsite security assessment by a QSA and are able to submit an annual self-assessment questionnaire including the Attestation of Compliance without reference to a QSA. Level 2 applies to smaller providers involved with less than 300,000 Visa transactions annually.

As Matthew Tyler, CEO of Blackfoot explained, “Payment schemes such as Visa and merchant service providers like Elavon are getting tough on organisations taking card payments. Many merchants don’t even realise they will be ones fined in the event of a data breach as they believe their bank or 3rd party supplier will be accountable. Some acquirers are even threatening to terminate Merchant Service Agreements if merchants fail to work with third-parties that appear on the Visa list. Organisations with call centres are seen as particularly vulnerable and should do everything in their power to work with only Level 1 vendors such as Encoded who have gone through extensive measures and inspections to achieve PCI DSS compliance.”

As recent research shows card security is important to consumers and they are becoming increasingly aware of both the technology and standards around payments. For call centres to build trust and confidence only the best technology from third-parties with Level 1 Visa clearance is good enough for customers. It can take years to rebuild a reputation after high profile data breaches such as those at Sony, Lush and the parent company of TK Maxx but it only takes a few minutes to check whether the vendor you are working with appears on the Visa Europe Merchant Agents list, has achieved full PCI DSS compliance and Level 1 status.

*Sabio and Avaya commissioned Davies Hickman Partners, an independent research consultancy, to complete a nationally representative survey (excluding NI) of 2,035 online consumers in January 2013.