I was at Visa Europe's QSA Briefing yesterday, and one question that cropped up was whether or not a Concierge style service would bring that Concierge into scope as a Service Provider.
By Concierge, I mean an entity that keeps Consumer's card numbers on file so it can book things like flights or hotels on their behalf. Think of corporate credit cards – you would often pass the number to a PA or Admin support department so they can pay for expenses on your behalf, or they might have a shared one they use for everybody.
What I found incredulous were that QSAs from two of the world's largest QSA Companies actually put these Concierge servers and/or Admin support departments into scope as Level 2 Service Providers! I'm not sure if the Visa guy mis-heard the question, but he said they would be in scope too.
Visa's intended application of PCI DSS is simple – “PCI DSS applies to every acquirer and issuer, every merchant that accepts payment cards and every service provider that works on their behalf.”
(“A Guide for Service Providers”-
It should NOT apply to entities that process payments on behalf of Consumers. If a breach occurred with such a service then it would be the Consumer that is held liable, for giving somebody else their card details, under the cardholder regulations, terms and conditions they sign up to in having the card in the first place.
Service Providers are those that provide services to acquirers, issuers, merchants and of course, other service providers. There is certainly no mention of Service Providers being defined as those that provide services to end Consumers.
If Concierge or any other Merchant Aggregators have contractual relationships with entities that are obliged to meet PCI DSS, then this might be a bit different, but guys – your advice pretty much boils down to saying Consumers are in scope for PCI DSS, and whilst I'm sure your bulging marketing and sales teams would love to start knocking on everyone's door, you're missing the point.