Which PCI DSS Service Provider Level are you?

Under the Payment Card Industry Data Security Standard (PCI DSS), merchants and service providers are subject to different requirements and have different responsibilities. While merchants will usually know they are merchants, having come to a merchant agreement with a payment service provider or an acquiring bank, service providers don’t always know they are one, and, as such, aren’t fully aware of their responsibilities. 

What is a PCI DSS ‘Service Provider’? 

The PCI Security Standards Council (PCI SSC), the council in charge of the development and management of the PCI DSS, defines a service provider as a ‘business entity that is not a payment brand, directly involved in the processing, storage or transmission of cardholder data’. The council goes on to specify that this includes ‘companies that provide services that could control or could impact the security of cardholder data’.  Managed service providers (MSPs) that provide managed network devices (IDs, firewalls), are also examples of service providers, as well as organisations that process payments on behalf of others, such as organisations that offer fundraising services.  

However, in some cases, an organisation will fall into both ‘merchant’ and ‘service provider’ categories; a merchant can also be a service provider if the goods/services they provide result in cardholder data (CHD) being stored, processed or transmitted on behalf of other merchants or service providers. Internet service providers (ISPs) are a good example of this. An ISP will accept payment in exchange for the provision of internet access, making it a merchant. However, if it hosts merchants processing their own card payments, it may also be considered a service provider.  

How do PCI DSS Service Providers Evidence their Compliance? 

The means through which you will need to verify your PCI DSS compliance if you are a service provider is dependent on your service provider level, which is determined by the volume of transactions you processes, transmit, or store. There is some variation between how different payment card brands categorise service providers, and the processes they require service providers to complete in order to validate their compliance.   

Mastercard, Visa, Unionpay, American Express and Discover all categorise service providers within 2 distinct levels according to the criteria described above. JCB, on the other hand, does not categorise service providers according to the number of transactions they handle; all JCB service providers are required to evidence compliance in the same way, regardless of transaction volume or any other criteria.  

Level 1 Service Provider 

You will be categorised as a Level 1 service provider if you process, store and/or transmit any number of transactions for JCB. Alternatively, if you are processing, storing and/or transmitting transactions for any of the other card brands listed above, you will only be a Level 1 if you handle over 300,000 transactions. As a Level 1 service providers, you would be required to obtain a Report on Compliance (RoC) every year, prepared by Qualified Security Assessor (QSA) such as URM, and would also need to have an approved scanning vendor (ASV) conduct quarterly vulnerability scans of your systems.  

Level 2 Service Provider 

Meanwhile, if you handle fewer than 300,000 Visa, Mastercard, UnionPay, American Express or Discover transactions you will fall under Level 2.  Unlike Level 2, Level 1 service providers are able to evidence their compliance by completing a Self-Assessment Questionnaire (SAQ), in particular SAQ D which is a variant specifically for service providers. You would also, like Level 1 service providers, need to have a quarterly vulnerability scan performed by an ASV.  

Closing Thoughts  

If you need to comply with the PCI DSS, it is vital that you first and foremost determine whether you are a merchant or service provider and, following this, your transaction levels per card brand. When doing so, you should not only consider your transaction volume in the here and now, but also your future growth. If you fall into Level 2 now but in the next year, for example, are likely to increase your number of transactions to the point that you may fall into the Level 1 bracket, you should focus your compliance efforts on the higher level instead.