Learn About PCI Compliance for Service Providers. 


By: Michael Simpson
Security Analyst
QSA, CISSP, CCNP
If you are a service provider who stores credit card data, PCI SAQ D likely applies to you. Service providers that process less than 300,000 card transactions may use SAQ D or submit a Report on Compliance (ROC). If service providers process more than 300,000, they are required to do a ROC.



What qualifies as a service provider? 

pci saqd, service provider, vulnerability scan
A service provider is a business entity that isn’t a payment brand, and is directly involved in the processing, storage, or transmission of cardholder data on behalf of another business. This also includes companies that provide services that control or could impact the security of cardholder data. 

If a service provider handles card data, it is required to be compliant with the PCI DSS to ensure that data is protected. Here are a few scenarios that would require a service provider to get PCI compliant: 

  • A service provider handles card data on behalf of another business 
  • Service provider provides managed firewalls used in another entity’s cardholder data environment 
  • A service provider that hosts a business’s e-commerce environment/website
Basically, if a business handles card data at any point, it needs to be fully compliant with the PCI DSS. 


What does the PCI SAQ D require of service providers?

Here are a few requirements for service providers who fill out PCI SAQ D.

Quarterly external scan

Service providers should have their network scanned for vulnerabilities at least quarterly, and after any significant change by an Approved Scanning Vendor (ASV). 

Penetration test

pci saq d, service provider, vulnerability scan By February 1, 2018, service providers that use segmentation to isolate the cardholder data environment from other networks, must perform penetration testing on segmentation controls (also known as a segmentation check) at least every 6 months and after any changes to segmentation controls/methods.

This penetration testing should be performed by a qualified internal resource or third party. If an internal resource is used, the tester should have organizational independence (though they aren’t required to be a QSA or ASV). The purpose of penetration testing segmentation controls/methods is to verify that the cardholder data environment is protected from unauthorized access.

Quarterly internal scan

Internal vulnerability scans should be performed quarterly. An internal vulnerability scan looks for network vulnerabilities locally (from the inside looking in), similarly to motion detectors inside your house. 

If an attacker is able to leverage an externally-facing vulnerability to gain some level of access to an internal device, they can then pivot and attack other systems within the corporate network from their newly acquired internal attack point. Service providers must regularly perform internal scans and remediate findings to help prevent the scope and severity of a breach. There are a variety of tools to help service providers comply with the internal vulnerability scan requirement. For example, you can:


  • Purchase an internal vulnerability scanning appliance from your ASV, or another service provider
  • Download an open source internal vulnerability scan tool from the Internet
  • Purchase and download Nessus 

Keep in mind the tool you use will still need to be configured by an expert after you purchase or download it. If you purchase an appliance, IT support service is typically included in the purchase. If you choose to use open-source scanning software, plan on spending more time researching best practice configuration tips through online forums.


Attestation of Compliance (AOC) form 

An AOC form is a document that’s completed by a Qualified Security Assessor to declare that the organization is PCI compliant.  Service providers should have this form as proof that they are compliant with the PCI DSS. 

Additional tips for service providers

  • Segment networks: keeping the card data environment separate from the rest of your network can save you a lot of time and expense on your PCI compliance initiative
  • Document policies: make sure all of your security policies are properly documented, since it will help you drive good security practices and reduce liability in the event of a breach
  • Work with an expert: If you’re not familiar with the PCI DSS or security practices in general, it’s a good idea to talk to a Qualified Security Assessor to see what needs to be done.

Need help with PCI? Talk to us! 

Michael Simpson (QSA, CISSP, CCNP) is a Principal Security Analyst at SecurityMetrics and has been in the IT Security industry for 15 years. He has a Bachelor of Science in Computer Science and a Masters in Business Administration.