Follow the money! (And the PAN)

Linked In is proving to be a valuable and interesting tool. I get fascinating comments in my inbox (but not on the iPhone App – why not?) from clever and insightful people. Yesterday Iain Omrod asked how his company stands when they make a sale through Amazon.

At first look you think “Hey, this is my sale, my customer is buying something from me and so Amazon are my service provider!”. This is then followed by flurries of web searches that turn up articles that are wrong and then contacting Amazon to say “You’re my service provider, so how’s your compliance?”
Let’s look a little closer at what’s going on here. From a PCI perspective, one of the defining parts of a transaction is who is the merchant. If the merchant number used is yours then its you, and you are responsible for the security of the transaction in the normal PCI way. If it belongs to Amazon and they process the payment and then remit you, then as far as PCI is concerned they are the merchant, not you. You are effectively acting as a sales and fulfilment agent for Amazon and PCI DSS is not relevant to you unless you process, store or transmit a PAN.
Remember, the defining issue in PCI DSS compliance issues is always the PAN. If you don’t see it, then you aren’t responsible for securing it.