One of the most common misperceptions about PCI DSS is that only merchants who directly accept payments need to be PCI DSS compliant. In fact, if any of your customers require PCI compliance, you might also need to become PCI compliant or be included in your customers’ assessments.

Any service provider that has the ability to affect the security of their customers cardholder data or that stores, processes, or transmits cardholder data on behalf of their customers needs to be able to show that the service is being provided in a PCI compliant manner. In this post, we focus on service provider’s validating their PCI compliance independent of their customers.

Why should I become PCI compliant if I don’t take credit card payments?

There are plenty of reasons to consider becoming PCI compliant. Some of them will be unique to your business, some of them are common reasons for most service providers. For example:

  • If you have multiple customers who need you to be PCI compliant, doing your own compliance once will save you time rather than being involved in multiple customer assessments.
  • There are only a small number of PCI compliant service providers in NZ, which means that if a customer is looking for a compliant service provider, you may be able to get more business.  You may also be able to charge more for this service – maybe just to recover any additional costs you have incurred or incur to provide PCI compliance or to differentiate the services being offered or provided.
  • You will be able to show your current and potential customers that you have a clear focus on security that has been independently assessed and validated against a global industry standard.
  • If you decide to list on the global service provider lists maintained by the card brands (e.g. Visa and MasterCard) you may also find customers in new markets that you hadn’t previously considered.

And of course, there may be reasons outside your control that have led you to look at PCI compliance, such as:

  • Being required as part of your customer contracts.
  • Being required to be compliant and assess as a service provider by your acquiring bank.

If any of those reasons resonate with you, then it’s time to start thinking about the next question: How do I become a PCI compliant service provider?