Comments on: Look to the acquiring banks, not the PCI Security Council http://www.mckeay.net/2008/05/30/look-to-the-acquiring-banks-not-the-pci-security-council/ The views of one man on security, privacy and anything else that catches his attention Sat, 20 Mar 2010 10:00:28 +0000 http://wordpress.org/?v=abc hourly 1 By: PCI Blog - Compliance Demystified » Blog Archive » Definaitions, Roles and Responsibilities of PCI http://www.mckeay.net/2008/05/30/look-to-the-acquiring-banks-not-the-pci-security-council/comment-page-1/#comment-2448 PCI Blog - Compliance Demystified » Blog Archive » Definaitions, Roles and Responsibilities of PCI Mon, 30 Jun 2008 04:16:26 +0000 http://www.mckeay.net/2008/05/30/look-to-the-acquiring-banks-not-the-pci-security-council/#comment-2448 [...] Martin McKeay aptly noted, we must first understand who is in charge of what before asking questions or making [...] [...] Martin McKeay aptly noted, we must first understand who is in charge of what before asking questions or making [...]

]]> By: Mike http://www.mckeay.net/2008/05/30/look-to-the-acquiring-banks-not-the-pci-security-council/comment-page-1/#comment-2437 Mike Sun, 29 Jun 2008 22:47:59 +0000 http://www.mckeay.net/2008/05/30/look-to-the-acquiring-banks-not-the-pci-security-council/#comment-2437 Martin, I am happy you're educating others about the roles and responsibilities of the PCI SSC and the card brands. It's important that people understand who sets the standards and who enforces them. One point of clarification, Visa and MasterCard will never fine merchants directly because they work through their Members (Issuing and Acquiring banks), but the other card brands: American Express, Discover, and JCB go either way. Another words, AmEx, Discover, and JCB can act as the issuer and acquirer - which would be able to fine merchants directly. Martin, I am happy you’re educating others about the roles and responsibilities of the PCI SSC and the card brands. It’s important that people understand who sets the standards and who enforces them.

One point of clarification, Visa and MasterCard will never fine merchants directly because they work through their Members (Issuing and Acquiring banks), but the other card brands: American Express, Discover, and JCB go either way. Another words, AmEx, Discover, and JCB can act as the issuer and acquirer – which would be able to fine merchants directly.

]]> By: Chris http://www.mckeay.net/2008/05/30/look-to-the-acquiring-banks-not-the-pci-security-council/comment-page-1/#comment-2040 Chris Sat, 31 May 2008 17:06:25 +0000 http://www.mckeay.net/2008/05/30/look-to-the-acquiring-banks-not-the-pci-security-council/#comment-2040 Do the banks share information with one another concerning their fines/fees? It smells like an anti-trust violation if they do, but if they do not, why wouldn't a merchant switch acquirers when faced with a large enough fine or a fee increase? Do merchants have to disclose their loss/breach history to acquirers? If not, you have a situation akin to being able to switch auto-insurance companies right after you get in an accident. I note that insurance companies can and do share data to prevent this strategy from succeeding. Do the banks share information with one another concerning their fines/fees? It smells like an anti-trust violation if they do, but if they do not, why wouldn’t a merchant switch acquirers when faced with a large enough fine or a fee increase? Do merchants have to disclose their loss/breach history to acquirers? If not, you have a situation akin to being able to switch auto-insurance companies right after you get in an accident. I note that insurance companies can and do share data to prevent this strategy from succeeding.

]]>