Email Icon
info@urmconsulting.com
Phone Icon
0118 206 5410
Governance, Risk Management and Compliance
|
Information Security
|
PCI DSS 
BLOGS

What Are the Service Provider Levels

Alastair Stewart
|
Senior Consultant at URM
|
PUBLISHED on
5 Aug
2022

Table of Contents

In this blog, we turn our attention to service providers.  The PCI Security Standards Council defines a service provider a ‘business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data.  This also includes companies that provide services that control or could impact the security of cardholder data’.  So yes, a payment processor is a service provider!  Other examples include managed service providers (MSPs) that provide managed network devices (firewalls, IDS), as well as any organisation that processes payments on behalf of others, for example, organisations offering fundraising services.

It’s important to note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider if the goods and/or services sold result in the storing, processing or transmitting of cardholder data (CHD) on behalf of other merchants or service providers.  For example, an Internet service provider (ISP) is a merchant that accepts payments for the provision of Internet access i.e., its own services, but may also be considered a service provider if it provides hosting services to merchants processing their own payments.

Service providers, on the other hand, don’t always know that they are service providers and consequently, are not aware of their responsibilities.  As we said above, a service provider is a business entity that is not a payment brand, directly involved in the processing, storing or transmitting of CHD on behalf of another entity.

The processes involved in the validation of compliance for service providers vary according to payment card brand.  Validation and reporting requirements for service providers are defined according to the service provider level (i.e,. the transaction volume and/or type of service provider).

Visa, Mastercard, American Express, UnionPay and Discover categorise service providers according to these criteria.  Additionally, these same brands have two or more distinct service provider levels that are defined by transaction volume.  JCB does not categorise service providers according to transaction volume.

In general, there are 2 ways in which a service provider can validate its PCI compliance:

If a service provider processes, stores and/or transmits transactions for JCB, or if the service provider processes, stores and/or transmits more than 300,000 Visa, Mastercard, American Express, UnionPay or Discover transactions, it is considered a Level 1 service provider.  These Level 1 service providers must obtain an annual RoC, prepared by a QSA, and undergo quarterly vulnerability scanning by an ASV.

If the service provider processes, stores and/or transmits fewer than 300,000 Visa, Mastercard, American Express, UnionPay or Discover transactions, it is considered a Level 2 service provider.  These service providers must validate their PCI compliance by preparing SAQ D (variant specific to service providers) and undergo quarterly vulnerability scans by an ASV.

So, hopefully, that has provided some much-needed clarity.  The key point is to understand what you are i.e., a merchant or service provider, and then your transaction levels per brand.  It is important that you don’t just look at the volume of transactions you are doing today.  What are your growth plans?  Do you expect to fall into the next bracket next year?  If yes, focus your compliance programme on the next level up.

Alastair Stewart
Senior Consultant at URM
Alastair is one of the most experienced and proficient Payment Card Industry Qualified Security Assessors (PCI QSAs) in the UK. He has completed in excess of one hundred successful reports on compliance (RoCs) against different PCI DSS versions along with supporting the completion of self-assessment questionnaires (SAQs).
Read more
Read more
find OUT more on:
PCI
Payment Card Industry Security Standards Council
CHD
Cardholder Data
SAQ
ROC
QSA

Are you looking for help preparing for a PCI DSS assessment?

As a PCI QSA, URM can assist you with a range of services, including conducting gap analyses, helping you reduce your CDE scope and conducting penetration tests.
Recent blogs
Planning Your ISO 27001 Audit Programme
Data Protection Considerations for Artificial Intelligence (AI)
The Finer Details of PCI DSS v4.0
How to Develop a Robust Business Continuity Plan
I’ve Got my Cyber Essentials - Now What?
How URM can help?
Cyber
Rapid Penetration Test Quote

Do you need support in meeting your annual PCI DSS penetration testing requirements? CREST-accredited URM can complete internal and external penetration tests for your organisation.

Read more
Cyber
Do you need support in meeting your annual PCI DSS penetration testing requirements?

As a CREST-accredited penetration testing organisation, URM can complete internal and external penetration tests.

Read more
Consultancy
Are you looking for a PCI QSA?

As a long-established PCI QSA, URM is able to deliver a full PCI QSA-led audit and produce a report on compliance (RoC) as well as deliver a full QSA-led self-assessment questionnaire (SAQ)

Read more
Having been involved in over 400 successful ISO 27001 certifications, URM Consulting Services (URM) is ideally placed to advise you on the essential activities and tasks you will need to carry out in order to maintain and improve your ISO 27001 auditing function and programme.
Find out more
related BLog posts
Thumbnail of the Blog Illustration
Information Security
Published on
8/8/2022
PCI Policies, Procedures and Evidence – What is expected?

While it’s one of the areas that IT and security departments find challenging, documentation (and compliant evidence)....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
4/8/2022
PCI DSS Gap Analysis

URM’s PCI DSS gap analysis service is aimed at those organisations which are looking to benchmark....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
5/8/2022
What Are the Merchant Levels

We are often asked, both by those new to PCI DSS and those who have been involved for a while....

Read more
"
Leanr more about
URM Services
URM's diligence during these audits has resulted in the business as a whole pulling together to collectively ensure that we up to par with the requirements. While our working relationship with URM’s consultant is fantastic, we are held to account for every bullet point of every requirement on every audit, which is precisely what we expect. The consultant’s efforts in ensuring that our PCI compliance is audited correctly is highly appreciated, as it gives the company an accreditation that we can be proud of and that we can show off to existing and prospective customers as proof of our security posture. A huge thank you to URM for providing such a valuable service.
Paul Stevens, Token
Open Banking Platform
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.
Services
Training
Consultancy
Products
About URM
About URM
URM Data Sheets
Contact URM
URM White papers
Case Studies
URM Blog
Collaboration
Secure File Portal (SFP)
Partner with URM
Subscribe to Mailing List
© Copyright 2024 URM Consulting Services Ltd. All Rights Reserved.
|
Privacy Policy
|
Cookies
|
Terms of Business