A July exposure of transaction records from 899 submerchants serviced by payment facilitator BlueSnap highlights an important lesson for PFs.
In addition to making sure their own houses are in order, they bear responsibility for their submerchants and service providers as well.
PFs who control all aspects of the card entry, where it’s impossible for a transaction to enter outside of their interface, may be able to certify compliance on behalf of all their submerchants. However, if any submerchant or service providers could conceivably get access to card data, the PF must ensure they are certified and registered. BlueSnap had to learn that the hard way.