For a general overview of how compliance levels operate in the PCI world, check our previous article on compliance levels for merchants. As with merchants, the PCI Security Standards Council doesn’t have anything to do with defining the service provider levels – that’s all handled by the individual card brands. Also as with merchants, there are significant differences between the card brands in how they define those levels.
Service Providers are something of a special case in the PCI world, as almost by definition they are in business to provide service to multiple PCI compliant businesses. This presents a different risk profile compared to merchants, and so some different compliance and validation requirements.
What are PCI Service Providers?
The PCI world is basically split into two groups: merchants, and service providers. If your business handles PCI Cardholder Data (CHD), or does things which impact the security of a Cardholder Data Environment (CDE), and you are not a merchant, then you’re a service provider.
Be aware that it is possible to be both a merchant and a service provider. That complicates things, and can lead to arguments as some organizations would prefer to be considered as merchants only.
The following is not an exhaustive list of service provider types, but it shows the range of companies that can find themselves classified as service providers:
- Third Party Processors (TPPs)
- 3-Domain Security (3DS)
- Tokenization Services
- Colocation Providers (for physical security)
A good overview of the different services that could be offered by a service provider is available in the Service Provider AOC template. When completing the Service Provider AOC, service providers are required to select, from a set of check boxes, which services they provide and were in scope for this assessment.
Working with Service Providers
Companies which are required to be PCI DSS compliant regularly use service providers in their day-to-day business. For business operations which don’t fall into your PCI DSS scope, you can continue as normal and not give PCI another thought. But if the services provided fall into PCI DSS scope, then you need to carefully consider the implications of using a service provider compared to doing the work yourself.
When selecting a service provider for an in-scope service, you need to be very careful to review the covered services. For example, a colocation provider with a PCI Service Provider AOC will almost certainly have been assessed for their physical security. However they may also offer additional services as an upsell such as firewall management. Before a PCI compliant company can take advantage of that firewall management service, they need to ensure that particular service is included in scope for the AOC.
It is possible to use services from a service provider that are not covered by that provider’s AOC. However at that point you are taking responsibility for ensuring the provider is operating that service in a compliant way. It will have to be included in your PCI scoping if they can’t or won’t expand the scope of their assessment. As such, it’s a situation that’s generally best avoided if possible.
How are Service Providers treated differently to Merchants?
There are two fundamental ways that service providers are treated differently to merchants:
- they have some additional requirements to which they are subject
- they have less opportunity to self-assess
Addressing the first point: if you review the PCI DSS, you’ll see that most requirements apply equally to everyone subject to the standard. But there are some requirements marked as Service Provider only. Generally these Service provider items require additional controls that impact how you segregate and identify the data belonging to your different clients.
Since these are requirements that only exist when there are multiple clients, it’s reasonable that they should only apply to service providers.
To the second point: Service Providers are given less ability to self-assess because of the nature of their business. Service Providers come into contact with cardholder data from multiple sources, and their business is typically built around integration points and data flows.
The risks arising from a service provider breach are seen as significantly higher. This is driven by both increased likelihood of a breach due to the integration points, and increased exposure from the breach because of the different sets of Cardholder Data being processed.
This lower ability to self assess appears in two different ways.
With most card brands, the threshold for undergoing a full on-site assessment is much lower. Mastercard and Visa both allow merchants to handle 6 million transactions per year before needing an on-site assessment; for service providers the same limit is only 300,000 transactions.
For a merchant, some of the card brands allow an on-site assessment to be done by an ISA or even someone without a PCI qualification at all, rather than a 3rd party QSA. Service providers are not given this choice, and most of the major card brands require that their on-site assessment is conducted by a QSA.
Compliance Levels by Card Brand
As with merchants, the level of a service provider is determined by rules set by each card brand. There are no overarching rules from the PCI Security Standards Council in this regard.
Each card brand publishes rules which govern which level a service provider should be considered. For some card brands, the level is purely driven by overall transaction volumes; for others the rules also take into account the types of service being offered by the provider. Mastercard in particular has a significant number of different provider types listed in their breakdown, some of which are automatically level 1 even if they have a trivially small annual transaction volume.
If you look at the merchant levels, you’ll see that there are between 2 and 4 levels a merchant may be categorized, depending on card brand. While there are significant differences between the card brands as to the definition of service provider levels, one thing they all agree on is that there are just 2 levels.
Once the level is determined, there are specific assessment and reporting requirements set by each brand for service providers of each level. These requirements are in a further section below. Here, we list the rules used to determine a service provider’s level:
|1||Processing over 2.5 million American Express Card transactions annually, or any service provider that American Express deems a Level 1.||All service providers that store, process, and/or transmit over 300,000 Discover card transactions per year Any service provider that Discover deems to be Level 1.||Third Party Processors processing one million or more transactions per year.||All Third Party Processors (TPPs) All Staged Digital Wallet Operators (SDWOs) All Digital Activity Service Providers (DASPs) All Token Service Providers (TSPs) All 3-D Secure Service Providers (3-DSSPs) All Data Storage Entities (DSEs) and Payment Facilitators (PFs) with more than 300,000 total combined Mastercard and Maestro transactions annually||VisaNet processors or any service provider that stores, processes, and/or transmits over 300,000 transactions per year.|
|2||Processing less than 2.5 million American Express transactions annually.||All service providers that store, process, and/or transmit less than 300,000 Discover card transactions per year.||Third Party Processors processing less than one million transactions per year.||All DSEs and PFs with 300,000 or less total combined Mastercard and Maestro transactions annually All Terminal Servicers (TSs)||VisaNet processors or any service provider that stores, processes, and/or transmits less than 300,000 transactions per year.|
Assessment & Reporting Requirements by Card Brand
As previously stated, the assessment and reporting requirements for service providers are driven by the provider’s level. Because there are only two levels, there are basically two options available to service providers: either have an on-site audit conducted by a QSA, or do a Self Assessment Questionnaire.
If an on-site audit is required, then unlike merchants, this must be done by a QSA. There is no option to have an internal member of staff perform this duty for service providers.
In the case of an SAQ, this will be SAQ D Service Provider, as the only SAQ targetted at service providers.
|1||Annual on-site Security Assessment conducted by either a QSA, or an internal auditor with results certified by CEO, CFO, CISO, or principal Conduct quarterly network scans by an ASV and submit the AOSC or executive summary||Annual on-site assessment by a QSA Quarterly network scans performed by an ASV||Annual on-site assessment by a QSA Quarterly network scan conducted by an ASV||Annual on-site Assessment conducted by a QSA Quarterly network scan conducted by an ASV||Annual ROC produced by QSA Quarterly network scan by ASV Attestation of Compliance form|
|2||Complete an annual SAQ and have it certified by CEO, CFO, CISO, or principal Conduct quarterly network scans by an ASV and submit the AOSC or executive summary||Annual SAQ Quarterly network scan conducted by an ASV||Annual SAQ Quarterly network scan conducted by an ASV||Annual SAQ Quarterly network scan conducted by an ASV||Annual SAQ Quarterly network scan by ASV Attestation of Compliance form|
Note: JCB currently states that Acquirers and Issuers must comply with PCI DSS regardless of volume, but decline to state what the validation procedures are.
Card Brand Sites
The card brands all publish public information on their information security programs. These outline how merchants and service providers are categorized into different levels, and also what the assessment requirements are for entities at each level.
Mastercard and Visa also publish lists of level 1 service providers that have successfully completed an on-site assessment. These are published to help merchants and others choose compliant service providers as they build out their card processing environment.
At this time we are not aware of similar service provider registries for American Express, Discover, and JCB. If you are aware of a public link to such a registry, please mail us so we can review and update the table accordingly.
|Card Brand||Information Security Program||Service Provider Registry|
|American Express||https://merchant-channel.americanexpress.com/merchant/en_US/data-security||Not found – feel free to contact with a public link|
|Discover||https://www.discoverglobalnetwork.com/en-us/business-resources/fraud-security/pci-rules-regulations/service-provider-compliance||Not found – feel free to contact with a public link|
|JCB||https://www.global.jcb/en/products/security/data-security-program/index.html||Not found – feel free to contact with a public link|