PCI Compliance for Service Providers

If you’re a merchant, it’s obvious that you need to be PCI DSS compliant. After all, the regulations are designed for businesses that accept credit card payments, and you accept credit card payments.

But there are other organizations that can influence how a company stores, processes, or transmits credit card data.

For the purpose of the PCI DSS these companies are considered “service providers”, and they have their own set of PCI DSS regulations to follow.

Do I Need To Be PCI DSS Compliant?

The definition of a service provider is a confusing one.

According to the PCI SSC, a service provider is:

“A business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data.”

So what does that mean?

Here’s a short list of some business types which may need to be PCI DSS compliant:

  • Secure shredding/data destruction companies
  • Managed Security services (eg. Managed firewall services)
  • Transaction processors (eg. PayPal)
  • Credit reporting services
  • Remittance companies
  • Web hosting companies
  • Data centres
  • Cloud storage/cloud computing providers
  • Call Centers
  • Customer loyalty program operators
  • Physical credit card creation/embossing services (eg. Card Issuers)

To make it even more confusing, if you accept credit card payments yourself, you might qualify as both a service provider and a merchant.

What Are The Compliance Levels For PCI DSS Service Providers?

Like they do with merchants, the PCI DSS defines levels for service providers as well.

Instead of four, though, there are only two – though each level is different for each credit card.

PCI DSS Compliance For Level 1 Service Providers

If you’re a level 1 service provider, your organization processes the following:

Visa - Over 300,000 Visa transactions per year, or VisaNet processors

Mastercard - Over 300,000 Mastercard and Maestro transactions per year, and all third party processors (TPPs)

American Express - 2.5 million or more AmEx transactions per year

Discover - Over 300,000 Discover transactions per year

JCB - All service providers, regardless of the number of transactions

It’s worth noting that American Express and Discover may, at their own discretion, decide that you’re a level 1 service provider.

If you fall into this category, you’ll need to comply with the following:

  • An on-site assessment by a qualified security assessor (QSA) completed once per year
  • A network scan by an approved scanning vendor (ASV) completed once per quarter

PCI DSS Compliance For Level 2 Service Providers

If you’re a level 2 service provider, your organization processes the following:

Visa - Up to 300,000 Visa transactions per year, or VisaNet processors

Mastercard - Over 300,000 Mastercard and Maestro transactions per year, and all third party processors (TPPs)

American Express - 2.5 million or more AmEx transactions per year

Discover - Over 300,000 Discover transactions per year

Note that JCB does not have a level 2 service provider designation. Regardless of how many or how few JCB transactions you process, you fall under the level 1 compliance regulations.

Level 2 service providers must meet the following requirements to remain PCI DSS compliant:

  • Complete a PCI DSS self-assessment questionnaire (SAQ) form D for service providers once per year
  • Conduct a network scan once per quarter by an approved scanning vendor (ASV)

PCI DSS Compliance Solutions For Service Providers

If you’re a service provider, 1st Secure IT has solutions for you to keep you PCI DSS compliant.

And if you aren’t sure whether or not your business falls under the aegis of PCI DSS regulations, contact us to find out.

Below you’ll find out more about our PCI DSS compliance solutions for service providers.

On-Site QSA Validation For Level 1 Service Providers

If you’re a level 1 service provider, you may be a large corporate entity or multinational enterprise. Because of the significant number of transactions passing through your business, it’s important to make sure you remain PCI DSS compliant.

On top of that, you likely accept credit card transactions yourself, so you may be a PCI DSS merchant as well.

1st Secure IT can help you make sense of all this.

For level 1 service providers, we offer an on-site QSA validation service. This is an all-in-one “hand-holding” solution which will give you everything you need to maintain PCI DSS compliance.

You’ll get an experienced QSA on-site with you to:

  • Determine the scope of your compliance needs
  • Scan your network for vulnerabilities
  • Run a series of penetration tests
  • Run a GAP analysis to test for what’s missing in your systems
  • Complete your report on compliance (ROC)
  • Fulfill any other PCI DSS needs you may have

To find out more about 1st Secure IT’s QSA services for service providers, call us at 1-866-735-3369 or email us at info@1stsecureit.com

PCI DSS Self-Assessment Validation Service For Level 2 Service Providers

If you’re a level 2 service provider, it’s possible to do your Self-Assessment Questionnaire (SAQ) form D for service providers yourself.

However, completing these forms is not always a straightforward process. It can be confusing and overwhelming at times to navigate your way through this process.

But you’re not alone. 1st Secure IT has you covered.

 We’ll help you through the process of completing your SAQ and perform the ASV vulnerability scan you need to stay PCI DSS compliant.

Contact 1st Secure IT today by phone at 1-866-735-3369 or email us at info@1stsecureit.com to find out more.

ASV Vulnerability Scanning Service

As part of your PCI DSS compliance, whether you’re a level 1 or 2, you need to have an ASV scan completed at least once per quarter.

1st Secure IT can complete these scans for you, providing you with the basics to meet the PCI DSS requirements as well as how you can go above and beyond these minimum requirements to achieve the highest level of protection.

Call 1st Secure IT at 1-866-735-3369 or email us at info@1stsecureit.com for more information.

Contact 1st Secure IT

Here at 1st Secure IT, we’ve been in the world of PCI DSS compliance for a long time. We’ve helped businesses large and small navigate the confusing world of PCI DSS compliance, from small mom and pop shops to multinational corporations.

Contact 1st Secure IT. We can help you navigate the world of PCI DSS.

If you’re a merchant, we’ll help you understand what level you fall under and what you need to do to be compliant.

And if you’re not, we’ll help you understand whether your business qualifies as a service provider. And if you do, we’ll help you become compliant.

PCI DSS fines can be heavy, and if you’ve been particularly negligent they can potentially cost you millions of dollars.

Don’t leave your business at risk. Contact 1st Secure IT today and keep yourself safe and secure in an uncertain digital world.

If you need help getting started... Contact Us!