Banks and acquiring organizations occupy a unique position in the PCI DSS ecosystem — they are simultaneously subject to PCI DSS requirements for their own cardholder data environments and responsible for managing PCI DSS compliance across their entire merchant portfolio. The acquiring bank is the contractual gateway through which card network rules flow to merchants; it bears responsibility not just for its own compliance but for ensuring its merchants comply.
The Acquiring Bank's Dual PCI DSS Role
Own CDE Compliance
Banks and acquirers operate CDEs that include: card processing systems, authorization systems, settlement and reconciliation platforms, fraud management systems, and cardholder data storage (for dispute resolution, chargebacks, and fraud analytics). These systems are subject to the full 12 PCI DSS requirements. Banks at sufficient card processing volumes (Level 1 SP thresholds) must complete annual ROC assessments.
Merchant Portfolio Compliance Management
The acquiring bank is contractually obligated to: ensure all merchants in its portfolio comply with PCI DSS, track merchant compliance status, report merchant compliance to card networks (Visa, Mastercard), and take corrective action (including fines or termination) for non-compliant merchants. This creates a significant portfolio management program requirement.
| KEY IDEA | Card network rules impose direct financial liability on acquiring banks for merchant non-compliance. When a merchant in an acquirer's portfolio suffers a card data breach, the acquirer may be fined by the card networks — and those fines are proportional to the number of compromised cards. The acquiring bank's merchant compliance program is therefore a direct financial risk management function. |
The Merchant Compliance Program
Merchant Onboarding Compliance Due Diligence
Before accepting a new merchant into the card program, acquirers should: assess the merchant's payment acceptance model (to determine the correct SAQ type), confirm the merchant understands their PCI DSS obligations, verify any existing compliance credentials (AoC, SAQ), and classify the merchant by level based on projected transaction volume.
Annual Compliance Validation Tracking
Acquirers must track annual compliance validation completion for all merchants. This involves: collecting completed SAQs or ROCs from each merchant, verifying passing ASV scan reports (where required), updating the acquirer's compliance tracking system, and reporting aggregate compliance status to card networks on the required reporting schedule.
| Merchant Level | Annual Validation Required | Acquirer Action if Non-Compliant | Reporting to Card Networks |
|---|---|---|---|
| Level 1 | Annual ROC + quarterly ASV scans + quarterly internal scans | Escalation; potential fines; termination if unresolved | Annual ROC confirmation |
| Level 2 | Annual SAQ + quarterly ASV scans | Non-compliance notice; fine schedule per network rules | Annual SAQ confirmation |
| Level 3 | Annual SAQ + quarterly ASV scans | Best-efforts compliance support | Per card network program requirements |
| Level 4 | Annual SAQ (recommended) + ASV scans (recommended) | Limited enforcement; education-focused | Per card network program requirements |
Merchant Breach Response — The Acquirer's Role
When a merchant in the portfolio suffers a suspected or confirmed card data breach:
- Acquirer receives notification from the merchant (or discovers through card network fraud alerts)
- Acquirer notifies card networks immediately (same business day)
- Card networks may mandate a forensic investigation by a PCI Forensic Investigator (PFI)
- Acquirer coordinates the PFI engagement and tracks investigation progress
- Fines from card networks for compromised cards are assessed against the acquirer
- Acquirer applies fines and remediation costs to the merchant per their contractual agreement
- Merchant may be placed under enhanced compliance monitoring post-breach
| IMPORTANT | The PCI Forensic Investigator (PFI) engagement following a merchant breach is an additional compliance obligation beyond the normal QSA assessment. PFIs are approved by the PCI SSC specifically for breach investigation. They investigate the cause of the breach, determine the scope of compromised cardholder data, and produce a Final Incident Report that card networks and acquirers use for liability assessment. |
POJK 11/2022 — OJK IT Security Requirements for Banks
OJK Regulation 11/POJK.03/2022 on IT Security for Banks establishes comprehensive information technology and cybersecurity requirements that significantly overlap with PCI DSS. Key alignment points:
- Information security policy and governance requirements (aligning with PCI DSS Req 12)
- Access control and user authentication requirements (Req 7, 8)
- Encryption requirements for sensitive financial data (Req 3, 4)
- Audit logging and monitoring requirements (Req 10)
- Incident response and reporting requirements (Req 12.10)
- Business continuity and IT recovery requirements
- Vendor and third-party security management (Req 12.8)
Banks pursuing PCI DSS compliance can leverage the PCI DSS evidence package significantly for POJK 11/2022 compliance — the two frameworks share many of the same technical and governance requirements.
Indonesian Domestic Payment — GPN and PCI DSS
The Gerbang Pembayaran Nasional (GPN) is Bank Indonesia's national payment gateway program, establishing a domestic payment scheme that routes transactions through Indonesian switching infrastructure (JALIN, ALTO, RINTIS, ARTAJASA). GPN card transactions use the national infrastructure rather than international networks. For PCI DSS, GPN transactions are treated the same as international card transactions — the same data security requirements apply to the CDE systems processing GPN transactions.
| Indonesian banks navigating both POJK 11/2022 and PCI DSS should build a single compliance program that produces evidence satisfying both frameworks simultaneously. The mapping between the two is substantial — approximately 70% of PCI DSS requirements directly satisfy a corresponding POJK 11/2022 control. A GRC platform with dual-framework capability (PCI DSS + POJK 11) eliminates duplicate evidence collection effort. |