Service Provider & Merchant
Any organization that stores, processes, or transmits cardholder data is required to comply with PCI DSS Standards. Depending on how an organization handles cardholder data, they are categorized into different types and levels.
PCI DSS
Service Provider
“Service Provider” as defined by PCI DSS is an organization providing services that involve transmitting, processing, or storing payment cardholder data on behalf of merchants or other service providers.
This includes entities offering payment processing services, wallet providers, platforms integrating various payment channels, online marketplaces, and others impact security of cardholder data.
Additionally, data centers providing virtual hosting services and cloud service providers are not directly involved in transaction services; maybe impact cardholder data security to some extent and are also classified as service providers.
Unlike merchants, service providers are categorized into two levels. Using VISA as an example, the classification and compliance requirements are detailed as follows:
Level 1:
- ● Processes over 300,000 transactions annually.
- ● Annual on-site assessment by a QSA with submission of a Report on Compliance (ROC).
- ● Submission of an Attestation of Compliance (AOC).
- ● Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV).
Level 2:
- ● Processes less 300,000 transactions annually.
- ● Annual submission of a Self-Assessment Questionnaire (SAQ).
- ● Submission of an Attestation of Compliance (AOC).
- ● Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV).
Merchant
Level 1:
- ● Processes over 6 million transactions annually.
- ● Annual on-site assessment by a QSA with submission of a Report on Compliance (ROC).
- ● Submission of an Attestation of Compliance (AOC).
- ● Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV).
Level 2:
- ● Processes between 1 million and 6 million transactions annually.
- ● Annual submission of a Self-Assessment Questionnaire (SAQ).
- ● Submission of an Attestation of Compliance (AOC).
- ● Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV).
Level 3:
- ● Processes between 20,000 and 1 million transactions annually.
- ● Annual submission of a Self-Assessment Questionnaire (SAQ).
- ● Submission of an Attestation of Compliance (AOC).
- ● Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV).
Level 4:
- ● Processes up to 20,000 transactions annually.
- ● Annual submission of a Self-Assessment Questionnaire (SAQ).
- ● Submission of an Attestation of Compliance (AOC).
- ● Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV) (optional).
For more details, refer to the VISA website
https://usa.visa.com/support/small-business/security-compliance.html
https://usa.visa.com/partner-with-us/pci-dss-compliance-information.html
In addition, In addition, Mastercard has specific requirements for Level 2 merchants that differ significantly. If a Level 2 merchant is required to complete SAQ A, SAQ A-EP, or SAQ D for Merchant, the assessment and completion must be conducted by an approved Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). This requirement has been effective since March 2021.
For more information, welcome to contact us.
