Acquirer PCI compliance does not only concern the bank: it concerns every merchant that holds an acceptance agreement. International card networks (Visa, Mastercard) impose PCI DSS on acquirers, who in turn impose it on merchants via the merchant agreement. Understanding this chain of responsibility helps merchants know who monitors them, what they risk and how to reduce their exposure.
The PCI chain of responsibility: networks, acquirers and merchants
At the top of the chain are the international card networks - Visa and Mastercard above all - which have defined PCI DSS as a contractual requirement for all participants in their network. The networks do not have a direct relationship with most merchants: their enforcement channel is through acquirers (banks or payment institutions that allow merchants to accept cards).
The acquirer signs a direct agreement with the network in which it undertakes to ensure that its merchants comply with PCI DSS. If a merchant under the acquirer's management suffers a breach or is found non-compliant, the network applies penalties to the acquirer, not the merchant directly. It is the acquirer that then passes the penalties and costs on to the merchant via the merchant agreement. This mechanism makes the acquirer the primary guardian of PCI compliance for its merchants.
The acquirer's obligations towards the merchant
The PCI DSS acquirer obligations towards merchants include: informing the merchant of the PCI DSS requirements applicable to their transaction level, collecting and verifying compliance documentation (SAQ, AOC, ASV scan results), applying fees or penalties for non-compliance, and reporting to the networks merchants that do not submit documentation within the prescribed timeframes.
In the event of a confirmed breach, the acquirer is obligated to immediately notify the networks and coordinate the forensic investigation. Forensic expenses and penalties applied by the networks are initially borne by the acquirer, which then recovers them from the merchant via contractual clauses. In some cases, the acquirer may impose on the merchant an increased reserve rate (a percentage of transactions withheld as security) or revocation of the merchant ID.
How tokenization changes your relationship with your bank
A merchant using PCI Proxy EU for card data management presents to the acquirer with a significantly different risk profile compared to a merchant that stores PANs internally. The declared perimeter is reduced to a minimum: the merchant can present an SAQ A (22 requirements) instead of an SAQ D (over 300 requirements), and the data flow diagram shows that the PAN never passes through their systems.
This translates into concrete advantages in the acquirer relationship: faster onboarding, less scrutiny during annual review cycles, and in some cases better contractual terms because the merchant demonstrates mature risk management. In the event of a breach on other merchant systems, the absence of PANs in internal systems means the breach does not automatically become a PCI breach, with a drastically reduced impact on obligations towards the acquirer.
Frequently asked questions
Is the acquirer responsible if the merchant is not compliant?
Yes, towards the networks. If a merchant managed by an acquirer is not PCI DSS compliant and suffers a breach, the network applies penalties to the acquirer, which then transfers them to the merchant via the merchant agreement clauses. This mechanism strongly incentivises the acquirer to monitor its merchants' compliance and take action in cases of non-compliance.
Can I choose an acquirer based on its PCI policy?
Acquirers' PCI policies vary in terms of monitoring frequency, severity of non-compliance penalties and support offered to merchants in the compliance process. It is legitimate to consider these aspects when choosing an acquirer, especially during initial onboarding phases. Some acquirers offer self-assessment tools integrated into the merchant portal, reducing the administrative burden of the annual process.
Who penalises me for non-compliance: the acquirer or Visa/Mastercard?
Networks penalise the acquirer directly, not the merchant. It is the acquirer that then applies penalties to the merchant via the merchant agreement clauses. Network penalties towards the acquirer can be monthly and accumulate until the non-compliance is resolved. In serious cases, networks can revoke the acquirer's acceptance licence for a specific merchant or for merchant categories.
Want to simplify the PCI relationship with your acquirer by presenting a reduced perimeter? PCI Proxy EU helps you build the right documentation. Discover PCI Proxy EU.