What are PCI Service Provider Compliance Levels

What are the service provider’s PCI levels, and how are they affected by PCI compliance?

Service providers’ PCI requirements may vary according to their level. PCI requirements for service providers vary depending on the annual transaction volume of transactions stored, processed, or transmitted by service providers.

See Also: PCI DSS Compliance Levels

So, what level of compliance of the service provider are you, and how do you know? Below you can find some necessary information about service providers, their levels, and what is expected by PCI DSS.

What is a service provider? What are the service provider levels?

Service providers are business entities that are not a payment brand but are directly related to the processing, storage, or transmission of cardholder data on behalf of another organization.

Service providers include companies that provide services that affect or may affect cardholder data security. Such services include managed service providers with managed firewalls, IDS / IPS, other services, and hosting service providers.

There are two levels of compatibility, depending on the annual transaction volume of service providers.

pci dss service provider compliance levels
pci dss service provider compliance levels
  • Level 1 Service Provider – More than 300 thousand transactions per year (more than 2.5 million transactions for Amex)
  • Level 2 Service Provider – Less than 300 thousand transactions per year (less than 2.5 million transactions for Amex)

Additionally, below you can find service provider levels for Visa, Mastercard, Discover, and American Express:

Note that the card transaction volume is the sum of the transaction volumes of all the service provider customers, so 300,000 transactions per year can be quickly processed.

The levels, criteria of the Service Providers, and the relevant card brands’ verification requirements are listed below.

pci dss service provider Compliance Requirements
pci dss service provider Compliance Requirements

It should be noted that Mastercard, Visa, Amex, and Discover require all service providers to be PCI compliant.

PCI DSS Compliance Level 1 Service Provider

VISA Service Provider Level 1 Criteria: VisaNet processors or any service provider that stores, processes, or transmits more than 300,000 Visa transactions per year is defined as level 1.

MasterCard Service Provider Level 1 Criteria: All Data Storage Entities (DSE) that store, transmit, or process more than 300,000 total MasterCard and Maestro transactions annually are defined as a level 1 service provider.

Discover Service Provider Level 1 Criteria: All service providers that store, process, or transmit more than 300,000 Discover card transactions per year, and any service provider determined by Discover at its sole discretion must meet Level 1 eligibility requirements.

American Express Service Provider Level 1 Criteria: Any service provider that processes 2.5 million or more American Express card Transactions per year or American Express otherwise deems Level 1 is defined as level 1.

JCB does not categorize or level service providers by transaction volume.

In short, level 1 service providers that store, process, or transmit more than 300,000 credit card transactions for Visa, Mastercard, and Discover or more than 2.5 million for AMEX annually. However, it should not be forgotten that the number of transactions is not per customer, but the total number of transactions performed annually by the service provider.

Level 1 service providers that ensure PCI compliance are added to and listed on Visa’s PCI DSS Compliant Service Providers List.

PCI level 1 service provider requirements are as follows:

  • Annual Compliance Report (ROC) prepared by a Qualified Security Auditor (QSA)
  • Network scans performed quarterly by the Approved Scanning Provider (ASV).
  • Penetration test performed annually
  • Quarterly local network vulnerability scans
  • Declaration of Conformity (AOC) Form

Also, institutions that carry out the following activities are defined as level 1 service providers:

  • All Third Party Processors (TPPs)
  • All Progressive Digital Wallet Operators (SDWOs)
  • All Digital Event Service Providers (DASPs)
  • All Token Service Providers (TSPs)
  • All 3-D Secure Service Providers (3-DSSPs)
  • All AML / Enforcement Service Providers

Once you have the Compliance Report (ROC) and verify it as a Tier 1 Service Provider, you can enroll in Visa’s Global Approved Service Providers list. Inclusion in Visa and other card brands lists is a powerful marketing tool for many companies.

PCI DSS Compliance Level 2 Service Provider

VISA Service Provider Level 2 Criteria: Any service provider that stores, processes, or transmits less than 300,000 Visa transactions per year is defined as level 2.

MasterCard Service Provider Level 2 Criteria: All DSEs that store, transmit or process less than 300,000 MasterCard and Maestro transactions annually are defined as level 2.

Discover Service Provider Level 2 Criteria: All service providers that store, process, or transmit less than 300,000 Discover card transactions per year are defined as level 2.

American Express Service Provider Level 2 Criteria: Any service provider that processes less than 2.5 million American Express card Transactions per year or is not considered Level 1 by American Express is defined as level 2.

JCB does not categorize or level service providers by transaction volume.

In short, level 2 is defined as service providers that store, process, or transmit less than 300,000 credit card transactions annually for Visa, Mastercard, and Discover or less than 2.5 million for AMEX. However, it should not be forgotten that transaction values ​​are not per customer, but the total number of transactions performed annually by the service provider.

PCI level 2 service provider requirements are as follows:

  • Annual PCI Self-Assessment Questionnaire (PCI SAQ) D
  • Network scans performed quarterly by the Approved Scanning Provider (ASV).
  • Penetration test performed annually
  • Quarterly local network vulnerability scans
  • Declaration of Conformity (AOC) Form

Besides, the institutions that carry out the following activities are defined as level 2 service providers:

  • All Terminal Services (TSs)

Level 2 service providers that ensure PCI compliance are not added to and are not listed on Visa’s List of PCI DSS Compliant Service Providers. However, level 2 service providers can choose to be audited as a Level 1 service provider for inclusion in Visa’s List of PCI DSS Compliant Service Providers.

However, regardless of which level you consider, if your company is operating as a service provider, you may want to consider the prestige value of completing a PCI Level 1 Audit, also known as a PCI ROC (Compliance Report).

Unlike the four different compatibility levels of merchants, service providers only have two levels of compatibility. Level 1 service providers must pass a PCI DSS audit in place by a Qualified Security Assessor (QSA). Level 2 service providers must evaluate themselves annually with the Self-Assessment Questionnaire SAQ-D.

However, most service providers are expected to make an appropriate assessment for level 1 regardless of their level. Because with the on-site PCI DSS audit and QSA evaluations, the service provider is audited by an independent institution. This situation is very important for acquiring banks, other essential institutions, and customer demands.

Therefore, the transaction level becomes meaningless for service providers, and a QSA now accepts the default requirement as a level 1 assessment in place.

What Are the Benefits of PCI Compliance for Service Providers?

There is no legal requirement for a service provider to be PCI DSS compliant. Also, the service provider has no contractual obligations with payment brands to be PCI DSS compliant.

However, some payment brands may have their requirements to use PCI compliant service providers. Therefore, service providers should contact their acquiring banks about the necessity for PCI compliance.

See Also: PCI Compliance Reports: What Do SAQ, AoC, and RoC Mean?

In short, service providers may not be required to provide their customers with approval of conformity (AOC) certificate, but this depends on the service provider’s acquirer or payment brands.

In any case, it is advantageous for service providers to pass a PCI DSS assessment and establish an AOC. We can list the benefits that service providers can gain with PCI DSS compliance:

  • It saves the service provider from the additional burden of passing more than one customer evaluation.
  • It provides a competitive advantage, as many merchants will not want the additional problems of adding service providers to the evaluation scope.
  • It ensures that the service provider is listed in the service providers listing program of Visa and MasterCard.
  • Some payment brands may require merchants to contact only PCI DSS compliant service providers, as part of their PCI DSS obligations.
  • PCI DSS is a good data security standard to help service providers meet a basic security standard.
  • The service provider will not be in a position to cause their customers to fail the overall PCI DSS compliance assessment by establishing a formal PCI DSS program.

PCI compliance tips for Service Providers

No matter what type of service provider you are or how many cards you are processing, you need to make sure that you protect your customers’ data and comply with all your PCI requirements. Because the security of customer data and cardholder data you process is your responsibility.

PCI DSS compliance demonstrates to your current and potential customers that you are committed to providing a robust security environment in all your procedures, policies, and controls whether you are directly dealing with cardholder data.

Taking the time to complete the PCI level 1 assessment with the help of a certified QSA ensures your adherence to security standards and procedures is verified.

You may also want to consider the feasibility of hiring a consultant to determine how far you have progressed in the compliance process. In this way, the documents you provide to your auditor can guide you through the compliance reporting process to ensure that the descriptions of the measures you have taken are complete and accurate.

Here are a few tips to help service providers comply with PCI:

Understand the PCI scope: Create a diagram to monitor your card data inside and outside your network. In this way, you can determine which places you need to protect in your work environment.

Document everything: Keeping your policies and procedures in line with PCI criteria will help you demonstrate PCI compliance. Besides, these documents will serve as a guide that your employees should follow.

Talk to a PCI expert: PCI compatibility can be a bit complicated. Talk to a Qualified Security Auditor (QSA) to see what elements of PCI DSS your business should focus on.

The critical point here is first to determine whether you are a merchant or service provider. Next, you need to calculate your transaction levels per payment brand. It will be sufficient to not look at the volume of transactions you are currently performing, but if you have a growth plan in the future, it will be more appropriate to focus your compliance program on the next level.

Now that we’ve explained the different levels of PCI DSS compliance for service providers, you can determine what level you are at and then begin to consider the process.

For detailed information, you can review Mastercard and Visa‘s service provider requirements.

Surkay Baykarahttps://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Cyberwise. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Cyberwise, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

Best Practices Against Ransomware Attacks and Hardening Guidelines

These best practices can help your organization manage the risk posed by ransomware and respond to a ransomware outbreak in a coordinated and effective manner.

What Are the Ransomware Infection Vectors

Ransomware events can severely impact business processes and deprive organizations of the data they need to run their business and deliver mission-critical services.

What Are the Ways to Reduce PCI Scope

If you can limit the amount of cardholder data you have, you'll have fewer data to audit.

Related posts

Latest posts

Best Practices Against Ransomware Attacks and Hardening Guidelines

These best practices can help your organization manage the risk posed by ransomware and respond to a ransomware outbreak in a coordinated and effective manner.

What Are the Ransomware Infection Vectors

Ransomware events can severely impact business processes and deprive organizations of the data they need to run their business and deliver mission-critical services.

What Are the Ways to Reduce PCI Scope

If you can limit the amount of cardholder data you have, you'll have fewer data to audit.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!