The Myth of Instant PCI Compliance Through Outsourcing

If your business is accepting credit cards as a form of payment for good and services you must be PCI Compliant! This is mandatory by the card brands Visa, Master Card and American Express.

The Payment Card Industry Data Security Standard (PCI DSS) is a comprehensive framework designed to protect cardholder data. Unfortunately, some businesses mistakenly believe that by outsourcing payment processing to a service provider, they automatically achieve PCI compliance. However, this oversimplification can lead to serious risks, including actual non-compliance.

The Reality

1. Partial Scope Reduction:

  • What It Means: Outsourcing payment processing reduces the scope of PCI compliance for you as the merchant. The third-party provider handles actual cardholder data (CHD) capture, storage, and transmission.
  • The Caveat:

Partial Scope Reduction means that only a portion of the requirements are addressed. You as the merchant remain responsible for other critical aspects of PCI compliance, including:

  • Regular Security Assessments: Conducting ongoing security evaluations and vulnerability scans to identify and address potential risks.

  • Security Policies & Procedures: Developing, implementing, and enforcing comprehensive security policies and procedures within the organization.

  • Incident Response Plan: Establishing and maintaining a plan to quickly and effectively address any security breaches or incidents.

  • Compliance Monitoring: Continuously monitoring compliance with all relevant security standards and regulations.

  • Employee Security Awareness Program: Educating employees about security best practices and potential threats through a structured awareness program.

  • Information Security Policy: Creating and maintaining an information security policy to guide the organization’s security practices and ensure regulatory compliance.

  • And others, consult with a PCI expert to ensure you are following the guidelines that apply to your business.

2. Shared Responsibility:

  • What It Means: While the third-party provider handles Cardholder Data (CHD), you as the merchant still interacts with the payment ecosystem. This means you have to ensure your systems align with PCI DSS standards.
  • The Catch: You (the merchant) remain accountable for securing your environment, including any systems that interact with the third-party service. Additionally, you must ensure that all service providers you work with are PCI compliant.

3. Ongoing Compliance Efforts:

  • What It Means: PCI compliance isn’t a one-time event. It requires continuous monitoring, employee awareness, vulnerability assessments, and reporting.
  • The Reminder: Outsourcing doesn’t exempt you from these ongoing efforts. Regular assessments are crucial.

4. Reporting and Documentation:

  • What It Means: You must submit compliance reports (e.g., Self-Assessment Questionnaires or Reports on Compliance) to your payment processors/ acquiring bank. Contact them, and ask them exactly what they need from you before you are caught by surprise!
  • The Reality Check: Outsourcing doesn’t eliminate this requirement. You must demonstrate compliance, even if you rely on a third party for the heavy lifting.

Best Practices

Understand Your Role:

  • What It Means: Know which aspects of PCI compliance are your responsibility and which are that of the third party. Your payment application provider will be able to supply you with a responsibility matrix, allowing you to visualize what needs to be done on your end.
  • The Key: Collaborate with the third party to ensure alignment.

Due Diligence:

  • What It Means: Choose a reputable third-party provider. Verify their compliance status and security practices. Ideally a PCI Level 1 Service Provider.
  • The Reminder: Regularly review your third party’s compliance documentation. Request a current Attestation of Compliance (AOC)

Monitor Changes:

  • What It Means: As the payments landscape evolves, so do compliance requirements.
  • Stay Informed: Keep up with updates to PCI DSS and adjust practices accordingly. You can ask your payment processor, acquirer or monitor the PCI Security Standards website at

Outsourcing payment processing applications streamlines operations, and helps you with the heavy lifting, but it doesn’t grant instant PCI compliance. You must actively participate, understand your obligations, and maintain vigilance. Compliance is a shared responsibility, and thorough due diligence is essential to protect both your business and your customers’ data .

Remember, while outsourcing helps with the heavy lifting, it’s not a silver bullet. Stay informed, stay compliant!

We recommend contact your Payment Process/Acquirer and PCI Expert to ensure you re doing what is required for your business. If you are not getting all the answers that you need you can contact our PCI Assist Team!

We’re Here to Help

What our clients are saying about us

“Never any issues with you guys! Things just work.”

Gerry Henstra, CEO, Henstra Business Solutions

“Customer service is a really big deal to us, and I am glad to do business with a company that obviously takes it as seriously as we do.”

Jeff Boatman, Global Client Solutions

“We’re happy with the IVR Payment system and it has been working well for us. Recently we also setup your newest SMS (text) receipts and found it to work great.”

IT Manager

“I want to command you and your team at Datatel on the job just completed for Tele-Response Center. The attention to detail and professionalism with which you approached the project was exemplary and greatly appreciated especially considering the several applications that needed to be implemented on short notice. Thanks again for your assistance getting this project off the ground so smoothly.”

Joe Grossman, Sr. Vice President, 121 Direct Response

“My team and I would like to commend Datatel on creating an IVR application that adds great value to our new Travel product. Your knowledge, input and expertise in IVR scripting, call flow management and overall IVR logistics made the development and implementation stages extremely easy to manage. Thank you for a well executed campaign that was launched on time and on budget.”

Ryan McCullough, Marketing Manager, Aegon Direct

“Great team to work with. I look forward to utilizing some additional capabilities in the future.”

Bob Griffin, VP of Operations, MedA/Rx

“We are very grateful for many years of mutually beneficial business relationship with Datatel and for impeccable customer service we have received during these years.”

Director of Student Accounts

“We, Standard Life, very much appreciated Datatel’s expertise, knowledge and support as we worked through the development and implementation stages. Our Clients appreciate the simplicity of the capability, while gathering very valuable feedback. Thanks for making this a very positive experience.”

Anne Pennell, VP, Customer Services Operations, Standard Life

“This was one of the best implementations I have been a part of. The communication was excellent and everything was responded to and dealt with swiftly. A real pleasure. We are looking forward to the impact this will have on our patient payments! Thank you!”

Kim Pace, Director Patient Accounts and Revenue, Chatham-Kent Health Alliance