Multiple Outlet Merchants
Sysnet have amassed a significant amount of experience working with merchants with multiple locations and multiple merchant IDs. PCI DSS is quite challenging for a single location merchant handling data, however having multiple locations or multiple channels of payment acceptance often further complicates matters.
There are four main complexities that must be considered for merchants with multiple MIDs, and Sysnet’s service package is highly focused on ensuring that the best possible support is given in order to address these complexities.
1. Is the payment technology identical or different at each location?
For example if each outlet uses the same Stand Alone terminal solution or integrated POS solution this allows us to make common assumptions with regard to certain clauses of the standard and to roll out a common remediation plan that can be easily coordinated by head office.
However, if some outlets use new systems and some use legacy systems, the impact on PCI compliance needs to be considered and a more outlet focused PCI compliance plan must be generated.
2. What are the specific acquiring bank’s reporting requirements?
Technically speaking the payment schemes require that a PCI Self Assessment Questionnaire (SAQ) be produced by each individual MID, as the report that acquirers provide to the payment schemes is broken down by MID. However, some acquirers allow the head office to produce one SAQ.
At Sysnet, we make sure to contact the acquirer and agree the requirements up front. Furthermore, even if the acquirer only requires one SAQ, we have a simple mechanism of producing multiple SAQs so that if, worst case scenario, a breach occurs we can demonstrate that an individual SAQ exists for each MID. This is obviously much easier if the infrastructure is identical at the outlet level.
3. Is there an internal scan requirement?
Another very important consideration for multiple outlet merchants is whether or not there is an internal scan requirement. Many merchants use IP based terminals and because of this, internal scanning on a per terminal basis is a factor of their compliance programme.
Sysnet recognise this as a common stumbling block for multiple outlet merchants and as a result we have put together a very flexible scanning package that offers great value for money.
4. Are PCI DSS requirements and policies understood across the outlet network?
A common issue that multiple outlet merchants face is ensuring that PCI DSS requirements and policies are understood across the outlet network. This is especially important for franchise arrangements where a security incident at an outlet level could have negative impacts across the brand. Therefore, as part of our package of services for multiple outlet merchants we provide outlet managers with PCI DSS awareness training at outlet level. This involves managers attending Sysnet training at head office or a convenient location. We can also feed into existing training programmes offered by head office to minimise disruption.
The result of this training is that managers come away with a clear understanding of the common risks associated with PCI DSS, the plans of the company as a whole to meet compliance, and their specific responsibilities for protecting cardholder details at an outlet level. When training is complete we reward the individuals and outlets with certifications of PCI compliance, which demonstrates to staff and customers that card holder data is being protected.
We provide tailored packages to meet the specific needs of multiple outlet merchants.
For further information on our PCI compliance services and Merchant service packages, please contact one of our Sales representatives by calling +44 (0)118 900 1510 or by completing our Online Enquiry Form or Request a Call Back Form on our website.
Also, please feel free to visit our resource centre for helpful articles, latest news, videos, wikis and useful links related to industry topics and terminology.