Despite new card network regulations that require acquiring banks to register all of their merchants’ service providers, much confusion remains about these requirements and service provider risk in general. G2 has identified thousands of service providers on behalf of acquirers worldwide, as well as helped facilitate their registration with the card networks. We’ve developed industry knowledge, best practices and tools that can help bring you up to speed.
The Basics: What is a Merchant Service Provider?
Let’s start at the beginning. A merchant service provider (also referred to as a “merchant agent”) is a business entity that is involved in the processing, storage or transmission of cardholder data for merchants. Some of the more obvious types of service providers include:
- Clearing and settlement providers
- Payment gateways
- Internet payment service providers
- Merchant payment processing solutions
- Fraud monitoring services
- Loyalty & reward programs
Some of the lesser-known service providers include any online service providers merchants may use, such as web hosts and shopping cart providers.
Acquirer Responsibilities Related to Merchant Service Providers
Current card network rules state that it is the duty of the acquirer to identify and register all third-party service providers used by each of their merchants with the card networks. Let’s break it down into steps.
Step 1: Identification.
First, the acquirer must identify all their merchants’ service providers that may touch cardholder data.
Step 2: Education.
Simply identifying the merchants’ service providers is not enough. Many service providers are unfamiliar with the payment system as well as card network requirements stating they must be registered and PCI DSS compliant if they handle cardholder data.
Step 3: Registration.
Once the service providers are educated on card network requirements, the acquirer must register the service providers with the card networks. Service providers may not register directly with the card networks, but rather need to go through their acquirer.
Can You Afford to Ignore the Problem?
Acquirers put themselves at risk by failing to identify and register third-party service providers. Many service providers touch enormous amounts of confidential and sensitive cardholder data, making them a perfect target for criminals. By not complying with registration and PCI DSS requirements, acquirers increase their risk of account data compromises and decrease the chances of quickly identifying the source in the case of a data breach. According to an Identity Theft 911 report, 39% of data breaches occur at the service provider level, reinforcing the fact that if not managed correctly, third-party service providers pose a major risk to acquirers and their data security.
Also, the card networks may impose assessments for unregistered merchant service providers, as they are a breach of their regulations.
Challenges: Service Provider Compliance is No Walk in the Park
Identifying and registering all merchants’ service providers can be a daunting task. The industry has over 30 million merchants, and G2 estimates there are tens of thousands of identifiable third parties with potential access to cardholder data. With these large numbers, it’s no wonder acquirers may have difficulties identifying every merchant service provider.
Luckily, card networks have acknowledged this industry problem and have begun to put programs in place to help acquirers become compliant. For example, MasterCard introduced a new MSP category called Service Provider Registration Facilitator (SPRF) to help acquirers register their service providers. G2 Web Services is an approved SPRF.
Need Help? Turn to G2 Service Provider Sentinel
G2’s Service Provider Sentinel gives acquirers a solution for the complex task of identifying their merchants’ third-party service providers, determining their PCI compliance status, and driving them through the card network registration process. As a certified MasterCard SPRF and supporter of Visa’s merchant agent registration requirements, G2 can help you mitigate and manage your third-party risk.