If your company shares any cardholder data with a third party, that vendor is considered by the payment card industry to be a service provider. As such, it needs to meet PCI DSS service provider standards to assure and protect the security of the information it holds, stores or transmits. Adherence to pci service provider standards is just as necessary for companies to whom you outsource any tasks that could affect data security even if there is no direct contact with confidential details.
PCI Service Providers Examples
Any entity or entities whom you hire to hold or manage your customers’ data falls into the PCI service provider category. In addition, there are less understood examples of service providers. For instance, consider a firm that you hire to manage your antivirus protection and firewalls. Although this vendor has no direct access to customers’ information in this role, they could certainly put it in jeopardy should they fail to keep your systems secure. One slip while making changes to firewall rules could render your entire system vulnerable to hackers and criminals.
Another example of a PCI service provider is any remote vendor you hire to assist with your site or internal hosting systems.
Once you provide them with administrative-level access to your in-scope systems, any mis-steps on their part could compromise your cardholder data. As a result, you should consider them a PCI service provider. As such, they would be required to provide you with a signed Attestation of Compliance annually while remaining PCI-compliant at all times. To further lock down the obligations of the third-party entity, you should make sure to specify in the contract you both sign the vendor’s responsibilities for securing and protecting cardholder data.
PCI Service Provider Levels
As you probably already know, merchants processing credit cards are categorized by visa, mastercard, Discover and American Express into categories that depend on the volume of the cards they process:
- Level 1 merchants process over 6 million Visa transactions annually across all channels;
- Level 2 merchants process between 1 and 6 million transactions across all channels;
- Level 3 merchants process 20,000 to 1 million e-commerce transactions annually. pci level 3 certification is still necessary even for these smaller merchants.
- Level 4 merchants process fewer than 20,000 transactions or do not fall into the other level categories for some other reason. PCI certification is still necessary.
As with most other aspects of business, one size does not fit all when it comes to PCI service providers. Similar to merchants, they fall into different visa service provider levels according to credit card processing volume as follows:
- The PCI level 1 service provider processes, stores or transmits more than 300,000 credit card transactions annually. They must file an annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA). Furthermore, they need to get a quarterly network scan, conduct a penetration test and an internal scan and provide an Attestation of Compliance (AOC) form.
- The level 2 service provider offers data storage, transmits or processes less than 300,000 credit card transactions yearly. In order to obtain PCI level 2 certification, an organization must complete a Self-Assessment Questionnaire (SAQ) annually. An internal scan, penetration test and a quarterly network scan as well as an attestation of compliance for service providers form are also necessary.
The two PCI service provider levels help organizations to understand their place in the compliance arena as well as the requirements they must satisfy.
Tips to Become PCI Compliant
For a service organization of any type, demonstrating a commitment to PCI compliance is a necessity. It shows your current and potential customers that you are committed to promoting a robust security environment in all of your procedures, policies and controls whether or not you directly deal with their cardholder data. Taking the time to complete a PCI level 1 assessment with the help of an approved QSA provides validation of your commitment to security standards and procedures. To determine how far along you are in the compliance process, you may also want to evaluate the feasibility of hiring a consultant. This vendor can partner with you throughout the compliance reporting process to ensure that the document you provide to your auditor is thorough, fair and accurate in its descriptions of the measures you have taken.
A quick online search readily reveals many well-respected PCI compliance consultants whom you can contact. One of the most reputable is TrustNet, a PCI Qualified Security Assessor (QSA). This gold-standard company is ready to help companies at all stages of the PCI compliance cycle. In short, any procedures that you can implement to lower your risk of even a hint of data vulnerability will be beneficial both to you and to your clients and partners. Once you know the definition of PCI compliance for service organizations and what steps you should take to attain it, doing the work can become less arduous and more rewarding. You can then count yourself among those on the PCI service provider list who have demonstrated their willingness to go the extra mile to safeguard their systems and the clients who rely on them.