Hitachi Group Global Network




Middle East and Africa



Is PCI DSS Compliance Mandatory when Payment Processing is Outsourced? (Part 1/3)
You are here: Home \ Compliance \ Is PCI DSS Compliance Mandatory when Payment Processing is Outsourced? (Part 1/3)
Posted on Wednesday, April 19th, 2017 by

Do you need to be PCI compliant when using a third-party payment processor?


An increasing number of companies are using third-party service providers (TPSPs) to process their credit card payments and address the costly burden of compliance to meet PCI DSS requirements.

Outsourcing raises an interesting compliance question; do you still have to be PCI compliant if you outsource the processing of credit cards to a third party?

In short, “yes”.


Related article: Data Breaches and PCI Compliance: Risk Exposure and Third Party Processor (2/3)


If your organization accepts credit cards, then it must be PCI DSS compliant, even if it is not handling the collection, processing, and storage of the protected cardholder data.


Indeed, all organizations that accept credit cards enter one or many agreements with its bank, according to which the organization must:

  • Comply with credit card association regulations, including the PCI DSS; and
  • Pay for any fines and assessments issued by the card associations following a card data compromise event.

The merchant is also required to report any card data compromise event to its bank, who then notifies the credit card association behind the PCI DSS compliance conditions.


What if your organization is not PCI DSS compliant at the time of the breach?

In case of a breach, the merchant might be required to retain and pay for a Payment Card Industry Forensic Investigator to conduct a forensic examination of the processing environment. This can be costly, depending on the size of the business.

The process moving forward is explained in credit card brand regulations (e.g. Visa International Operating Regulations or MasterCard Security Rules and Procedures). Generally, the investigator must determine if your organization was compliant at the time of the breach. Each credit card will impose a separate fine for non-compliance and can impose additional penalties for not reporting the incident immediately. These fees are claimed by virtue of the indemnity provisions in the Merchant Services Agreements; your bank will claim the money on behalf of the credit card companies. Also, your bank may decide to increase transaction fees or, in some cases, simply terminate the business relationship to eliminate the risk.

According to David A. Zetoony, attorney at Brand Cave LLP, and Courtney K. Stout, attorney at Davis Wright Tremaine, LLP, “payment brands can assess more than 25 different contractual penalties, fines, adjustments, fees, and charges upon a retailer following a PCI data security breach”.


So why outsourcing?

It does reduce the compliance burden; organizations will only have to complete a Self-Assessment Questionnaire in most cases. Nonetheless, there are other factors to consider when dealing with a third-party service provider, such as class action exposures and due diligence in vetting TPSPs. Read the article about data breaches and PCI compliance for more information.

Download Hitachi Systems Security's PCI Compliance Case Study


Vanessa Henri
About author:
Vanessa is an academic and legal expert on data protection laws, as well as a certified data protection officer. Currently, Vanessa is Hitachi Systems Security’s Director of Legal and Compliance as well as Data Protection Officer. She oversees the performance of privacy advisory services by Hitachi Systems Security to its clientele, including services such as GDPR Posture Assessments. She advises boards of directors at the macro-strategic level on the implementation of privacy obligations through efficient reporting systems. She has published a variety of data privacy-related materials and has contributed as a speaker to various conferences about data protection laws, such as Code Blue, in Tokyo. Vanessa is a member of the Quebec Bar Association, and holds a master’s in laws from McGill University. She also teaches corporate cybersecurity practices at St Thomas University, in Miami, Florida. She is a certified Data Protection Officer.

Latest Webinars | Watch Now


The Next Generation of Managed Security, in collaboration with PCM.

Watch Now

Reporting Data Privacy Obligations to the Board: A Practical Approach to Ongoing Compliance, in collaboration with Nymity.

Watch Now