• (800) 846-4472
PCI compliance for retail

Digging into PCI 3.0 – What Shared Responsibility Means for Your Retail Payment Systems

Brant Schelhaas

The majority of merchants are familiar with the Payment Card Industry Data Security Standards. While the guidelines give business owners an actionable framework for protecting customer information during the payment processing, storage and transmittal of credit card data, there are other important aspects businesses must be aware of. One of the largest tenets of PCI DSS is the shared responsibility element. Let's take a closer look at what that means:

Partnerships affect security
Merchants aren't the only party involved in collecting consumer credit card data. Instead, with the payment industry's ever-evolving and complex nature, multiple organizations may have access to this sensitive information along the way. As a result, the PCI framework suggests security is a shared responsibility, meaning business owners and their partners each have their own sets of requirements to ensure customers are protected. 1 In addition, the type of obligations organizations must complete may differ depending on their alliances with certain service providers.

What about outsourcing?
Many entrepreneurs arrange for parts of their organization to be managed by another company. Whether it's the functionality of a cloud computing outlet or software-as-a-service, shared responsibility applies. This is because the parent business has a partial obligation in maintaining protection for clients even if part of their enterprise is being handled by someone else. It's crucial for business owners to ensure both they, and their third-party service vendors, are PCI compliant. 2 The entrepreneur is responsible for securing networks within and between their own environments, while the cloud services provider provides network protection at the cloud perimeter and between the provider's clients. 3

Failure to do so could result in costly penalties for both parties, although the primary organization may see more serious consequences. These negative effects include loss of consumer trust and credibility within the industry, as well as reduced sales and customer loyalty.

How companies can manage shared responsibility
It's important for entrepreneurs and smaller business owners to be aware of PCI DSS's shared responsibility element and what it means for their organization. Merchants must be prepared for the consequences of adherence as they work with partners. To maintain both parties' compliance, businesses must do the following, according to Educause 4:

  • Designate representatives from a variety of backgrounds - IT, finance, legal - to lead compliance procedures and set the tone for partner companies.
  • Create a PCI risk management policy for any instances of data breach or security issues.
  • Establish responsibilities across the organization and require buy-in and training from all employees and related parties.
  • Make PCI compliance more than just an IT issue. Ensure all departments and service providers are aware of their obligations.

It's critical for merchants to be knowledgeable about PCI DSS and how the guidelines apply not only to them, but to the organizations they've partnered with. Shared responsibility is an important element of compliance for business owners to understand, as it will affect their individual requirements and potential monetary penalties for non adherence.

  1. https://www.pcisecuritystandards.org/documents/DSS_and_PA-DSS_Change_Highlights.pdf
  2. http://blog.algosec.com/2013/08/pci-3-0-what-it-means-to-you-and-your-business.html
  3. https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf
  4. http://er.educause.edu/articles/2014/3/pci-dss-30-what-higher-education-it-needs-to-know

Get An eBook All-Access-Pass

  • eBook About POS
  • Grow Your Business Guide
  • Improve Your Business
  • 5 Steps Secure Your Business

Subscribe to our blog and get an all access pass to our past, present, and future eBooks for FREE.

At Your Fingertips

Download the POS Buyer’s Guide

It's a big job to buy the perfect POS System. This is a robust guide to get you equipped to ask all the right questions to potential providers.

Find a Local POS Provider

With this FREE service we can point you in the direction to providers who can meet your needs, and potentially exceed your expectations.

Take The Next Step

Get Mercury and discover how we continually earn the industry’s top spot in payment processing and excellent customer service.

Thank you for your interest in
Vantiv Integrated Payments.
We just need a little info to get started.