Service providers’ PCI requirements can be different, depending on their levels.
PCI requirements for service providers vary based on the volume of annual transactions that you store, process, or transmit.
So what level service provider are you? And how do you find out? Here is some basic information on service providers, their levels, and what the PCI DSS requires of them.
What is a service provider? What are service provider levels?
Let’s start by defining what a service provider is. This is a business entity that isn’t a payment brand, but is directly involved in the processing, storage, or transmission of cardholder data on behalf of another business. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS/IPS, and other services, as well as hosting providers.
Like merchants, service providers have a couple of different levels based on the volume of transactions they handle annually.
Level 1 Service Provider
These are service providers that store, process, or transmit more than 300,000 credit card transactions annually.
PCI Requirements validated
Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)
Quarterly network scan by an Approved Scanning Vendor (ASV)
Attestation of Compliance (AOC) Form
Note: Receiving a ROC and validating as a Level 1 Service Provider allows you to be on Visa’s Global Registry of Approved Service Providers. For many organizations, listing with Visa and other card brands is a powerful marketing tool.
Level 2 Service Provider
These are service providers that store, process, or transmit less than 300,000 credit card transactions annually.
PCI Requirements validated
Annual Self-Assessment Questionnaire (SAQ) D
Quarterly network scan by an ASV
Note: Occasionally, a Level 2 Service Provider will be asked by its partners, clients, or integration partners to validate compliance as a Level 1 with a QSA onsite assessment. Level 2 Service Providers will also sometimes choose to validate as a Level 1 to be on Visa’s Global Registry of Approved Service Providers.
Tips to get PCI compliant
No matter what level of service provider you may be or how many cards you process, you need to make sure that you’re protecting your customers and data and that you’re compliant with all your PCI requirements.
Here a few tips to help you get PCI compliant:
Talk with a PCI professional: PCI compliance can get a little complex. Talk to a Qualified Security Assessor (QSA) to see what elements of the PCI DSS your business needs to focus on.
Understand your PCI scope: Create a diagram to track where your card data moves in and out of your network. This will help you determine which areas of your business environment need to be secured.
Document everything: Having proper documentation with your policies and procedures will help you give proof of PCI compliance and help you stay organized in data security.
George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.