What Are the Service Provider Levels

In this blog, we shift our focus to service providers and their role in PCI compliance. According to the PCI Security Standards Council, PCI compliance, a service provider is defined as a business entity that is not a payment brand but is directly involved in processing, storing, or transmitting cardholder data. This definition also includes companies whose services have the potential to impact the security of cardholder data. It's important to note that a payment processor is indeed considered a service provider. Other examples include managed service providers (MSPs) offering managed network devices such as firewalls and IDS, as well as organizations that process payments on behalf of others, such as fundraising services.

In addition to the aforementioned considerations, it's essential to emphasize that a merchant that accepts payment cards for the sale of goods and services may assume the role of a service provider under specific circumstances. This occurs when they engage in the storage, processing, or transmission of cardholder data on behalf of other merchants or service providers. This multifaceted classification can be illustrated by examining the case of an Internet service provider (ISP). An ISP primarily functions as a merchant when it accepts payments for its own services. However, when it extends its services to include hosting for merchants engaged in processing their own payments, it can also be categorized as a service provider in this context.

Unfortunately, a significant number of service providers may not fully grasp their classification or the attendant responsibilities that come with it. It is imperative for service providers to gain a comprehensive understanding of their role, which fundamentally revolves around the secure handling of cardholder data on behalf of another entity.

Moreover, it's crucial to note that the specific validation and reporting requirements imposed on service providers vary depending on the payment card brand they are associated with. Major card brands such as Visa, Mastercard, American Express, UnionPay, and Discover have devised distinct categorization criteria for service providers, often taking into account transaction volume and the type of services provided. For these brands, service providers are grouped into different levels, each delineated by specific transaction volume thresholds or service characteristics.

However, it's worth highlighting that JCB does not categorize service providers based on transaction volume, employing a different approach to determine their compliance requirements. This diversity in categorization underscores the need for service providers to be well-informed about the specific expectations and standards set forth by the payment card brands they engage with, ensuring their adherence to the requisite security measures and reporting obligations.

In general, there are two ways for a service provider to validate PCI compliance:

1. Level 1 service providers: These providers either process, store, and/or transmit JCB transactions or process, store, and/or transmit over 300,000 Visa, Mastercard, American Express, UnionPay, or Discover transactions. Level 1 service providers must obtain an annual Report on Compliance (RoC) prepared by a Qualified Security Assessor (QSA) and undergo quarterly vulnerability scanning by an Approved Scanning Vendor (ASV).

2. Level 2 service providers: These providers process, store, and/or transmit fewer than 300,000 Visa, Mastercard, American Express, UnionPay, or Discover transactions. Level 2 service providers must validate their PCI compliance by completing Self-Assessment Questionnaire D (SAQ D), which is specific to service providers, and undergo quarterly vulnerability scans by an ASV.

It's crucial to have a clear understanding of whether your organization falls under the merchant or service provider category, as well as the transaction levels for each payment card brand. If you are unsure about PCI compliance services, it's not sufficient to only consider your current transaction volume; it's also important to consider future growth and whether you may move into a higher transaction level. By doing so, you can focus your compliance efforts on the appropriate level and ensure a robust compliance program.