![Adoptech-logo-GreyWithoutStrapline-1.png]](https://knowledge.adoptech.co.uk/hs-fs/hubfs/Adoptech-logo-GreyWithoutStrapline-1.png?height=39&name=Adoptech-logo-GreyWithoutStrapline-1.png){kind=logo}
What Is an Acquirer in PCI DSS?
“acquirer” is one of the most common PCI DSS terms that causes confusion - we explain what it means
In PCI DSS, an acquirer (also called an acquiring bank) is the organisation that enables your business to accept card payments and connects you to the card payment networks such as Visa and Mastercard.
If you accept card payments, you have an acquirer — even if you never interact with them directly.
What does an acquirer do?
An acquirer is responsible for supporting merchants in the card payment ecosystem. This typically includes:
-
Sponsoring your organisation to accept card payments
- Processing transactions through the card networks
-
Settling funds into your business bank account
-
Enforcing PCI DSS compliance requirements
-
Requesting validation documents such as SAQs or Attestations of Compliance (AoCs)
In simple terms:
-
You accept card payments
-
The acquirer makes that possible
-
PCI DSS compliance is part of the agreement
Why acquirers matter for PCI DSS compliance
Your acquirer is usually the organisation that determines:
-
Your PCI DSS merchant level
-
Which Self-Assessment Questionnaire (SAQ) applies
-
Whether an external audit (Report on Compliance) is required
-
How often compliance must be validated
-
What documentation must be submitted
This is why PCI guidance often states:
Your acquirer is the final authority on PCI DSS validation requirements.
Do you still have an acquirer if you use Stripe or PayPal?
Yes.
Even if you use a payment provider like Stripe or PayPal, there is still an acquiring bank involved behind the scenes.
For example:
-
Stripe provides the payment platform
-
Stripe partners with acquiring banks
-
Those banks act as the acquirer supporting card transactions
So while you may not have a direct relationship with the acquirer, PCI DSS obligations still apply.
Acquirer vs payment processor (common confusion)
These terms are often used together but refer to different roles:
| Term | Meaning |
|---|---|
| Acquirer | The bank that enables card acceptance and settles funds |
| Processor | The service that handles transaction processing technology |
| Payment Service Provider (PSP) | A provider (e.g. Stripe) that bundles payment services together |
In many modern setups, PSPs combine multiple roles, which is why the distinction can be unclear.
Example (UK business)
A UK SaaS company accepts card payments using Stripe:
-
Merchant: The SaaS company
-
Payment Service Provider: Stripe
-
Acquirer: Stripe’s partner acquiring bank
-
Card schemes: Visa / Mastercard
PCI DSS validation still applies, typically through an SAQ.
Key takeaway
An acquirer is the organisation that ultimately ensures merchants validate PCI DSS compliance.
Even if you don’t communicate with them directly, they are a core reason PCI DSS requirements exist.