Manage Learn to apply best practices and optimize your operations.

Choosing PCI DSS-compliant service providers

Learn how hiring the right PCI DSS-compliant service providers, especially payment services providers, can reduce your compliance burden.

I'm a small retailer, and I've read conflicting information online about whether a mobile payment application that I plan to use is PCI DSS-compliant. If I use this type of product, do I have to do all the paperwork and such related to PCI?

The bottom line is that if you hold a credit card merchant account, there is nothing you can do to completely absolve yourself of PCI DSS-compliance responsibility. If you consult the terms of your merchant agreement, you will find language that places the burden of compliance clearly on your organization. In cases where you are using third-party service providers to implement all or part of your credit card processing, you are responsible for ensuring that you use only PCI DSS-compliant service providers and that you meet all of your other PCI DSS responsibilities.

That said, you may certainly reduce the burden of PCI DSS compliance on your organization by carefully choosing technologies and service providers that limit (or eliminate!) your internal handling of sensitive credit card information. One of the most straightforward ways to do this is to use a solution that takes advantage of point-to-point encryption (P2PE). This technology, also known as end-to-end encryption, uses hardware at the point of sale that encrypts credit card information using a key known only to the service provider and then sends the encrypted transaction to the service provider for processing. The merchant never has access to unencrypted credit card information in electronic form.

In the future, merchants using P2PE may be eligible to use an abbreviated compliance validation process if they meet the following criteria:

  • They use PCI SSC validated P2PE for all credit card processing and have properly implemented it.
  • No systems other than the P2PE devices store, process or transmit credit card information.
  • They do not receive or transmit cardholder data in any other electronic form.
  • They do not store any cardholder data in electronic form, even if it is encrypted.
  • They have removed all legacy cardholder data from their systems.

Merchants meeting these criteria are eligible to complete the abbreviated SAQ P2PE-HW that focuses on the specific responsibilities of P2PE users. There is a catch, however. Nobody is yet able to use these provisions because the PCI SSC has not added any P2PE products to its official list of Validated P2PE Solutions

Ask the expert!
Got a vexing problem for Mike Chapple or any of our other experts?
Ask your enterprise-specific questions today! (All questions are anonymous.)

This was last published in June 2014

Dig Deeper on PCI Data Security Standard