I have some tips for people who make or accept credit card purchases.

Payment processors (such as Paypal) sometimes use a service to help them stay in compliance with credit card company rules. These rules vary between credit card companies, but they're based on the Payment Card Industry (PCI) Data Security Standard, which helps protect customers. Beware of compliancy services, particularly AmbironTrustWave ( http://www.atwcorp.com/ ) which I discovered has made an unsubstantiated claim that the payment processor Kagi "has performed the required procedures to validate compliance with the PCI Data Security Standard." I recommend that Visa's own list of compliant service providers (which includes payment processors) be used to confirm a payment processor's compliancy. I included this tip in my consumer protection index, under "Payment Processors" at http://www.polisource.com/consumer-protection.shtml#consumer-protection-index along with some other tips.

Here's my email to Visa and two replies that I received (I think there was confusion at Visa over whether the first reply was sent).

------------------------------

> -----Original Message-----
> I do business with a company that allows
> payments through Kagi, and I'm trying to
> determine whether Kagi is CISP compliant.
> According to your list of compliant service
> providers at
> http://www.verifiedbyevisa.com/download/business/accepting_visa/ops_risk_management/cisp_List_of_CISP_Compliant_Service_Providers.pdf
> Kagi isn't one of the compliant service providers,
> but according to
> http://www.kagi.com/about/bulletins/cisp.html
> and
> https://sealserver.trustkeeper.net/compliance/cert.php?code=x4ij3BZ9ZVRIGnDsmKTROdOFX2IgvC
> they are.

------------------------------

Dear Barry,

Kagi is not on Visa's updated list of compliant service providers and therefore is not PCI/CISP compliant. Companies that have not successfully fulfilled FULL PCI/CISP compliance requirements and approved by Visa are non-compliant. Therefore, any claims made without a Visa-approved full PCI/CISP compliance are unsubstantiated.

Regards,
The CISP Team
www.visa.com/cisp

------------------------------

Dear Barry,

Below is the email response sent last Tuesday by CISP soon after we received the initial email from Barry. Again, Kagi is not on Visa's list of compliant service providers and therefore is not PCI/CISP compliant. Any claims Kagi makes on their PCI/CISP compliance is unsubstantiated. Many business entities consider their operations compliant according to PCI/CISP; however, in order to be legitimately PCI/CISP compliant, the relative PCI DSS compliance requirements according to CISP must be fulfilled accordingly, fully compliant, and approved by Visa.

Regards,
Then CISP Team
www.visa.com/cisp

Verified by Visa and CISP compliant are two different items actually. The List of Compliant Service Providers (http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_List_of_CISP_Compliant_Service_Providers.pdf?it=il|/business/accepting_visa/ops_risk_management/cisp_tools_faq.html|List%20of%20CISP-Compliant%20Service%20Providers) can be found there.

Kagi might be using a different name on the list - you might ask them what they are known as for that.

Sounds to me like Kagi worded their "compliance status" to appear to read that they are fully compliant but if you re-read it, all that they are actually stating is that they simply performed the required procedures to come into internal compliancy under the CISP/PCI rules. (And yes, I'd agree that this sounds very misleading/deceptive if indeed they are trying to use that to tout that they are a certified PCI payment processor)

In order to become truly CISP/PCI compliant and certified as a gateway or payment processor, it is required to an on-site auditing by a certified auditing company as well as quarterly security scans and other monitoring requirements.

Sounds to me like Kagi worded their "compliance status" to appear to read that they are fully compliant but if you re-read it, all that they are actually stating is that they simply performed the required procedures to come into internal compliancy under the CISP/PCI rules.

If the reason Kagi isn't on Visa's list was because the first full round of checks isn't complete, it wouldn't be as bad, but it seems to me that Kagi was found not compliant in one of the scans or audits, or didn't even go through the checks it was supposed to. I'd like to see whatever compliance history Visa has on Kagi.

Either way, it should be required (by law) that a credit card company's own determination of compliance be used when claiming compliance.

Kagi says "Kagi is very pleased to announce PCI/Visa CISP compliance. Compliance to this standard means your credit card data is safe with Kagi." I bet there's something in their contract that's inconsistent with that. There is on the Compliance Validated page they link to: "Disclaimer: AmbironTrustWave makes no representation or warranty as to whether the merchant's systems are secure from either an internal or external attack or whether cardholder data is at risk of being compromised."

I think that the statement by AmbironTrustWave is more of a "CYA" on their part from the standpoint that even being CISP/PCI compliant does not guarantee that data couldn't be compromised at a future point.

They don't want to be held liable in case they audit someone and certify them and then later, that same merchant is hacked or compromised. A PCI audit, at best, only provides a "snapshot" of the security profile of a merchant at the time of the review.

I went back to the Kagi site to take a look (it had been awhile) and it looks to me like they may not necessarily fall into the Level 1 category based on their transaction volume.

In fact, based on that they probably fall into the Level 2 or Level 3 which does not require an on-site audit since I'm guessing that they don't process 6,000,000 or more transactions/year.

As a result, an off-site scan vendor (such as AmbironTrustWave) and the merchant's own self-assessment would be sufficient for them to make the PCI/CISP compliance claim that is listed on their Web site.

However, HERE is the tricky thing about Kagi. They are a "merchant" but they are also acting as a "payment processor" since they are allowing merchants to setup stores and utilize Kagi to proces their transactions. That is the part that gives me the most concern since there have been many issues over the years where providers of this type have been shut down and found to be non-compliant by their sponsoring banks with respect to the Card Association rules & regs.

To their credit, Kagi has been around for awhile. But I always view these kinds of setups as very risky - all that it takes is for a new risk manager to take over at their merchant acquirer who has a different perspective on their business model and things can get very ugly, very quickly.

BTW, in case it is helpful - here is the link the Visa CISP service provider list:
http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_List_of_CISP_Compliant_Service_Providers.pdf?it=il|/business/accepting_visa/ops_risk_management/cisp_service_providers.html|CISP-Compliant%20Service%20Providers

Keep in mind that the above list is for CISP compliant service providers - i.e. payment gateway and other transaction processing entities.

In fact, based on that they probably fall into the Level 2 or Level 3 which does not require an on-site audit since I'm guessing that they don't process 6,000,000 or more transactions/year.

As a result, an off-site scan vendor (such as AmbironTrustWave) and the merchant's own self-assessment would be sufficient for them to make the PCI/CISP compliance claim that is listed on their Web site.Yes, that's how it seems. Visa might have been wrong in their emails to me, and their List of Compliant Service Providers (http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_List_of_CISP_Compliant_Service_Providers.pdf?it=il|/business/accepting_visa/ops_risk_management/cisp_service_providers.html|CISP-Compliant%20Service%20Providers) is misleading. I'll keep the recommendation on my website that people select a payment processor from that list, because service providers not on that list didn't pass or didn't go through the "Annual On-site PCI Data Security Assessment," as it's called here (http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_merchants.html?it=l2%7C/business/accepting_visa/ops_risk_management/cisp.html%7CMerchants), which I guess is the same as a "CISP review," as it's called in the compliant service provider list. They might not have had to, but that would still mean that their compliance wasn't validated as strictly.

However, HERE is the tricky thing about Kagi. They are a "merchant" but they are also acting as a "payment processor" since they are allowing merchants to setup stores and utilize Kagi to proces their transactions.Yes, it sounds like a conflict of interest. The compliant service providers page says "It is the Members’ responsibility to use compliant service providers and to follow up with service providers if there are any questions about their compliance status." Unfortunately, it's not clear what "members" are, and it's not even in Visa's glossary (http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_GlossaryofTerms.pdf?it=il|/business/accepting_visa/ops_risk_management/cisp_tools_faq.html|Glossary%20of%20Terms). Are they acquirers or merchants?

BTW, in case it is helpful - here is the link the Visa CISP service provider list:
http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_List_of_CISP_Compliant_Service_Providers.pdf?it=il|/business/accepting_visa/ops_risk_management/cisp_service_providers.html|CISP-Compliant%20Service%20Providers

Keep in mind that the above list is for CISP compliant service providers - i.e. payment gateway and other transaction processing entities.That's probably a better link than the one I gave because the domain is visa.com, which makes it more clear the information is from Visa. I think I'll bookmark this page (http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_tools_faq.html?it=c|/business/accepting_visa/ops_risk_management/cisp_merchants%2Ehtml|View%20all%20CISP%20downloads) of CISP related documents.

BTW, in answer to your question on what a "Member" is... they are the Member Banks who actually comprise the Visa and MasterCard associations.

Unlike companies like American Express & Discover who operate as independent single entities, Visa and MasterCard are actually membership associations comprised of over 25,000+ financial institutions that are linked together through the Visa and MasterCard authorization and clearing/settlement networks.

The way Visa and MasterCard operate on a day-to-day basis is that they assign responsibilities and rights to their Member Banks and also enforce their rules & regs as well as any financial penalties is to the very same banks.

Some Member Banks only handle the issuing of Visa and MasterCard brand cards and these are called "issuers." They get paid by the Interchange fees on every transaction processed by their cardholders and they also make money on interest, late fees, annual fees, etc. They assume the risk of loss from cardholder defaults.

Other Member Banks only handle the acquisition of merchant transactions and they collect payments from the issuing banks and settle/clear them to the end merchants. They assume the risk of loss from unpaid debits - usually from chargebacks - as well as financial penalties that can be levied against them. These Members are called "acquirers." Some Member Banks provide both services.

Member Banks may delegate their responsibilities in certain cases - such as when they register and allow an ISO/MSP to acquire merchant accounts or if a Member Bank sponsors an authorization/settlement network or gateway provider.

In the event of any penalty fee, such as a cost for non-compliance or violation of the rules & regs, Visa & MasterCard will fine the actual Member Bank directly. It is then up to the Member Bank as to how they collect that same cost from their side.

In the cases of sponsored ISO/MSP's & gateways, most contracts with Member Banks have a "pass-through" clause whereby if the Member Bank is fined due to the conduct of the third party, the cost of the fines will be paid by the third party in question. This is how Member Banks contractually protect themselves against misbehaving ISO/MSP's and other sponsored third parties.

Hope that info is helpful! :)

Yes, thanks for the information. I like to know something about the topics that I make recommendations on.

I got another email from Visa, but I don't want to publish everything in this thread. I'm afraid that I'll get a duplicate content penalty if I later publish it on my website. It kind of says that fines for non-compliant service providers may or may not be handed out and it's ok to do business with them, but they won't get away with it. I'll have to read it again. I think more government regulation is needed.

Personally, I don't think that the government has the savvy or expertise to regulate the bankcard industry and it would probably do more harm than good.

As just one example, the judgement in the WALMART class action lawsuit against Visa & MasterCard ultimately ended up throwing out a major rule that has now resulted in Interchange inflation across the board due to Amex and other 3rd party brands now being able to solicit Member Banks that used to be exclusively tied to Visa and MasterCard alone.

And you are definitely correct in that fines can be levied against Member Banks who have non-compliant merchants. They can start at $10,000-50,000 and quickly escalate up to $500,000 or more.