PCI DSS Service Provider

PCI Service Provider Levels

As you probably already know, merchants processing credit cards are categorized by visa, mastercard, Discover and American Express into categories that depend on the volume of the cards they process:

• Level 1 merchants process over 6 million Visa transactions annually across all channels;
• Level 2 merchants process between 1 and 6 million transactions across all channels;
• Level 3 merchants process 20,000 to 1 million e-commerce transactions annually. pci level 3 certification is still necessary even for these smaller merchants.
• Level 4 merchants process fewer than 20,000 transactions or do not fall into the other level categories for some other reason. PCI certification is still necessary.

As with most other aspects of business, one size does not fit all when it comes to PCI service providers. Similar to merchants, they fall into different visa service provider levels according to credit card processing volume as follows:

• The PCI level 1 service provider processes, stores or transmits more than 300,000 credit card transactions annually. They must file an annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA). Furthermore, they need to get a quarterly network scan, conduct a penetration test and an internal scan and provide an Attestation of Compliance (AOC) form.
• The level 2 service provider offers data storage, transmits or processes less than 300,000 credit card transactions yearly. In order to obtain PCI level 2 certification, an organization must complete a Self-Assessment Questionnaire (SAQ) annually. An internal scan, penetration test and a quarterly network scan as well as an attestation of compliance for service providers form are also necessary.

The two PCI service provider levels help organizations to understand their place in the compliance arena as well as the requirements they must satisfy.

Tips to Become PCI Compliant

For a service organization of any type, demonstrating a commitment to PCI compliance is a necessity. It shows your current and potential customers that you are committed to promoting a robust security environment in all of your procedures, policies and controls whether or not you directly deal with their cardholder data. Taking the time to complete a PCI level 1 assessment with the help of an approved QSA provides validation of your commitment to security standards and procedures. To determine how far along you are in the compliance process, you may also want to evaluate the feasibility of hiring a consultant. This vendor can partner with you throughout the compliance reporting process to ensure that the document you provide to your auditor is thorough, fair and accurate in its descriptions of the measures you have taken.A quick online search readily reveals many well-respected PCI compliance consultants whom you can contact. One of the most reputable is TrustNet, a PCI Qualified Security Assessor (QSA). This gold-standard company is ready to help companies at all stages of the PCI compliance cycle. In short, any procedures that you can implement to lower your risk of even a hint of data vulnerability will be beneficial both to you and to your clients and partners. Once you know the definition of PCI compliance for service organizations and what steps you should take to attain it, doing the work can become less arduous and more rewarding. You can then count yourself among those on the PCI service provider list who have demonstrated their willingness to go the extra mile to safeguard their systems and the clients who rely on them.