Service providers’ PCI requirements can be different, depending on their levels. 

what are service provider levels
If you’re a service provider, you may have some different PCI requirements based on what level you are. PCI requirements for service providers vary based on the volume of annual transactions that you store, process, or transmit.

So what level service provider are you? And how do you find out? Here is some basic information on service providers, their levels, and what PCI requires of them.

SEE ALSO: How do Merchant Levels Determine PCI Compliance?

What is a service provider?

Let’s start by defining what a service provider is. This is a business entity that isn’t a payment brand, and is directly involved in the processing, storage, or transmission of cardholder data on behalf of another business. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services, as well as hosting providers and other entities.

SEE ALSO: New 3.2 Requirements for Service Providers: What You Should Know

Similar to merchants, service providers have a couple of different levels based on the volume of transactions they handle annually.
Let’s take a look at the different service provider levels.

Level 1 Service Provider

These are service providers that store, process, or transmit more than 300,000 credit card transactions annually.

PCI Requirements
Note: receiving a ROC and validating as a Level 1 Service Provider allows you to be on Visa’s Global Registry of Approved Service Providers. For many organizations, listing with Visa and other card brands is a powerful marketing tool.

Level 2 Service Provider

These are service providers that store, process, or transmit less than 300,000 credit card transactions annually.
service provider
PCI Requirements
  • Annual Self-Assessment Questionnaire (SAQ) D
  • Quarterly network scan by ASV
  • Penetration Test
  • Internal Scan
  • AOC Form
Note: occasionally, a Level 2 Service Provider will be asked by its partners, clients, integration partners, etc. to validate compliance as a Level 1 with a QSA onsite assessment. Level 2 Service Providers will also sometimes choose to validate as a Level 1 in order to be on Visa’s Global Registry of Approved Service Providers.

Tips to get PCI compliant 

No matter what level of service provider you may be or how many cards you process, you need to make sure you’re protecting your data and you’re compliant with all of your PCI requirements.

Here a few tips to help you get PCI compliant:
  • Talk with a PCI professional: PCI compliance can get a little complex. Talk to a Qualified Security Assessor (QSA) to see what elements of the PCI DSS your business needs to focus on 
  • Understand your PCI scope: create a diagram to track where your card data moves in and out of your network. This will help you determine which areas of your business environment need to be secured  
  • Document everything: having proper documentation with your policies and procedures will help you give proof of PCI compliance and help you stay organized in data security 
Want to know more about getting PCI compliant? Read our SecurityMetrics Guide to PCI DSS Compliance.

SecurityMetrics Guide to PCI DSS Compliance