What Are the Service Provider Levels

Latest update:
5 Aug
2022

In this blog, we turn our attention to service providers.  The PCI Security Standards Council defines a service provider a ‘business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data.  This also includes companies that provide services that control or could impact the security of cardholder data’.  So yes, a payment processor is a service provider!  Other examples include managed service providers (MSPs) that provide managed network devices (firewalls, IDS), as well as any organisation that processes payments on behalf of others, for example, organisations offering fundraising services.

It’s important to note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider if the goods and/or services sold result in the storing, processing or transmitting of cardholder data (CHD) on behalf of other merchants or service providers.  For example, an Internet service provider (ISP) is a merchant that accepts payments for the provision of Internet access i.e., its own services, but may also be considered a service provider if it provides hosting services to merchants processing their own payments.

Service providers, on the other hand, don’t always know that they are service providers and consequently, are not aware of their responsibilities.  As we said above, a service provider is a business entity that is not a payment brand, directly involved in the processing, storing or transmitting of CHD on behalf of another entity.

The processes involved in the validation of compliance for service providers vary according to payment card brand.  Validation and reporting requirements for service providers are defined according to the service provider level (i.e,. the transaction volume and/or type of service provider).

Visa, Mastercard, American Express, UnionPay and Discover categorise service providers according to these criteria.  Additionally, these same brands have two or more distinct service provider levels that are defined by transaction volume.  JCB does not categorise service providers according to transaction volume.

In general, there are 2 ways in which a service provider can validate its PCI compliance:

If a service provider processes, stores and/or transmits transactions for JCB, or if the service provider processes, stores and/or transmits more than 300,000 Visa, Mastercard, American Express, UnionPay or Discover transactions, it is considered a Level 1 service provider.  These Level 1 service providers must obtain an annual RoC, prepared by a QSA, and undergo quarterly vulnerability scanning by an ASV.

If the service provider processes, stores and/or transmits fewer than 300,000 Visa, Mastercard, American Express, UnionPay or Discover transactions, it is considered a Level 2 service provider.  These service providers must validate their PCI compliance by preparing SAQ D (variant specific to service providers) and undergo quarterly vulnerability scans by an ASV.

So, hopefully, that has provided some much-needed clarity.  The key point is to understand what you are i.e., a merchant or service provider, and then your transaction levels per brand.  It is important that you don’t just look at the volume of transactions you are doing today.  What are your growth plans?  Do you expect to fall into the next bracket next year?  If yes, focus your compliance programme on the next level up.

Thumbnail of the Blog Illustration
Information Security
updateD:
9/8/2022
Benefits of PCI DSS Compliance

In recent blogs, we have focused on how best to ensure you comply with the PCI Data Security Standard. However, this week we will look at what the benefits are of achieving and maintaining compliance…

Read more
Thumbnail of the Blog Illustration
Information Security
updateD:
5/8/2022
PCI DSS Reduction and Assessment

The Payment Card Industry Security Standards Council (PCI SSC) defines scoping as “the process of identifying all system components, people, and processes to be included in a PCI DSS assessment to...

Read more
Thumbnail of the Blog Illustration
Information Security
updateD:
4/8/2022
PCI DSS Gap Analysis

URM’s PCI DSS gap analysis service is aimed at those organisations which are looking to benchmark their current corporate information security practices (relating to payment card data) against...

Read more
"
Moving from our existing Pen Testers after 10 years was a difficult decision but I am really glad we did. It's been a pleasure working with you. The Pen Testing was extremely thorough and as hoped you were open to a collaborative deeper delve, far beyond what we were required to do for PCI DSS, which has been very useful.
Payment Service Provider
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.