Open Mobile Menu


Filed In: PCI DSS, Risk and Compliance

Payment Aggregation

Views: 2596

Written By: Chip Ross November 15, 2016

Payment aggregation is relatively new in the PCI world, and hasn’t had much exposure to the QSA community.  You may have run across some entities telling prospects and clients they have no PCI obligations for any transactions undertaken using their products. These products may include websites, mobile applications and ‘dongles’ attached to or inserted in smart phones, tablets or laptops. These entities may have payment aggregation agreements in place with the Card Brands and with Acquiring Banks.

In researching this for a client, I discovered that there is a published program from VISA, which is available here:

This document describes the VISA Payment Facilitator Model.  In essence, the Payment Facilitator is the Merchant of Record, not the merchant actually selling the product. The Payment Facilitator has agreements with VISA where they are responsible for the PCI compliance of their ‘sponsored merchants’. In turn the Payment Facilitator has agreements with Acquiring Banks.  In these agreements, the Payment Facilitator is allowed to assume responsibility for the PCI compliance of their ‘sponsored merchants’, as long as the ‘sponsored merchant’ conducts less than $100,000 in annual transactions.

I asked myself, ‘What if the merchant is accepting branded cards from the other Brands?’

It has been difficult to find documentation regarding similar programs for the other card brands. At the most recent PCI Community Meeting, I contacted the Card Brands and the PCI Security Standards Council in an attempt to obtain clarification and guidance. Everyone I contacted was helpful, and the Council personnel asked that I summarize the issues and send them for review.

Some of the questions that came out of my investigation are (I am using VISA’s terms, ‘sponsored merchant’ and ‘Payment Facilitator’, but these terms are meant to describe relationships that may exist with other Card Brands, Acquiring Banks and Payment Aggregators):

If a sponsored merchant is using Payment Facilitator’s  website via a PC connected to their network:

  • Is the PC in-scope for the sponsored merchant’s PCI compliance? If not, why not?
  • What happens if a key logger obtains cardholder data (CHD) from the sponsored merchant’s PC? Is the sponsored merchant subject to fines?
  • What if the sponsored merchant accepts CHD via telephone over VOIP lines before entering it in the PC? Is VOIP in-scope?
  • CHD from that PC is crossing the sponsored merchant’s internal network. How can that network be out-of-scope?
  • What protects the sponsored merchant from brand or reputational damage? The customer is going to see the sponsored merchant’s name and the Payment Facilitator’s name, but will most likely blame the sponsored merchant in the event of a compromise.  Is the Payment Facilitator responsible for the cost of notification, fines, hiring a PCI Forensics Investigator, etc.?

If a sponsored merchant is using a Payment Facilitator’s device attached to a phone, tablet, laptop or other device owned by the sponsored merchant:

  • Does requirement 9.9 apply for the Payment Facilitator’s device?
  • It does not appear that any Payment Facilitator’s devices are PTS or P2PE approved solutions. Which SAQ (if any) applies?

Since VISA is the only card brand with a limit described for ‘sponsored merchants’ ($100,000 annually), what if a ‘sponsored merchant’ takes more than 20,000 transactions totaling less than $100,000? Are they now a Level 3 Merchant and required to complete an SAQ? What SAQ applies?


For now, I’m suggesting to my clients that they continue to contact any entity that informs them they have no PCI compliance obligations when using their products and ask questions to:

  • Clarify ownership of Merchant IDs
  • Validate payment flow. Is the settlement of accounts going into their bank from the acquirer, or is there an accounting relationship (ACH transfer) from the Payment Facilitator?
  • Ensure they have agreements in writing from these entities regarding their PCI compliance obligations as sponsored merchants.

I received an initial response from Council personnel that they are reviewing the situation. I will post an update as soon as any communication is received. I’m hoping that guidance from the Council, the Brands, or both, will be forthcoming to help address this situation.

Stay tuned.

Chip Ross

Chip came up through the ranks of Information Technology, beginning as a contract Desktop Field Engineer in 1997. His career evolution included leading the Desktop Operations team at Northwest Airlines, including day-to-day work direction for a team of 14 packagers and maintaining communication with upper management regarding desktop operations. In 2006, he transitioned to Information Security and delivered compliant merchant RoCs for 2007 – 2010, including the year of the Northwest/Delta merger.

Chip moved to Carlson in 2010 and continued delivering compliant Service Provider and Merchant RoCs from 2010 – 2012 as a Carlson-sponsored ISA. During that time, Chip also conducted many assessments at Carlson hotel and restaurant franchisees, providing on-the-ground guidance to the smaller merchants that make up a large portion of Carlson’s organization. Chip joined United Health Group as a sponsored ISA in early 2013, to provide guidance, tracking and reporting on the PCI efforts for the various teams and business units there.

Drawing on his experience, leading, participating, tracking and reporting on many remediation projects, Chip helps clients achieve their compliance goals through scope reduction, process improvement, and strategic technology integration. Chip’s broad background and extensive PCI experience with large corporations enables him to be comfortable working with client personnel anywhere from the data center to the board room, ensuring that AppSec Consulting’s clients receive thorough, top-quality consultation and assistance.

read more articles by Chip Ross