PCI Compliance for Service Providers

Definition of "Service Providers"

A Service Provider is defined as a business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).

 

The processes involved in the validation of compliance for service providers vary according to payment card brand. The Payment Card Industry Data Security Standard (PCI DSS) compliance validation and reporting for service providers are defined according to the service provider level, (i.e., the transaction volume and/or type of service provider.)

 

Visa, MasterCard, American Express and Discover categorize service providers according to these two criteria. Additionally, these same brands have two or more distinct service provider levels that are defined by transaction volume. JCB does not categorize service providers according to transaction volume.

 

In general, there are two ways in which a service provider can validate its compliance to the PCI DSS.

 
  • If a service provider processes, stores, and/or transmits cardholder transactions for JCB, or if the service provider processes, stores, and/or transmits more than 300,000 Visa, MasterCard, American Express or Discover cardholder transactions, it is considered a Level 1 service provider. These Level 1 service providers must obtain an annual Report on Compliance (ROC) prepared by a qualified security assessor (QSA) and undergo quarterly vulnerability scanning by a PCI Approved Scanning Vendor (ASV).

 

  • If the service provider processes, stores, and/or transmits fewer than 300,000 Visa, MasterCard, American Express or Discover cardholder transactions, it is considered a Level 2 service provider. These service providers must validate their PCI compliance by preparing Version D of the annual Self-Assessment Questionnaire (SAQ) and undergo quarterly vulnerability scans by a PCI ASV.

 

PCI DSS Solutions for Service Providers

 
On-site Qualified Security Assessor (QSA) Validation Service for Level 1 Service Providers
For Level 1 service providers, 1st Secure IT's annual on-site QSA validation service provides a comprehensive solution that determines the project scope and provides vulnerability scanning, penetration testing, GAP analysis, remediation services, all followed by the final Report on Compliance (ROC).  The cost of this service varies depending on the size of the engagement. For specific pricing information, please call us at 866-735-3369 or fill out our “Contact Us” page and an auditor will call you promptly.

 

PCI DSS Self-Assessment Validation Service for all other Service Providers

For all other service providers, PCI DSS validation includes an SAQ Form D for Service Providers and an ASV vulnerability scan.  The cost of this service is $45 per year, which includes the ASV scanning for up to six public IP addresses and unlimited remediation scans. If you have more than six public IP addresses that require ASV scanning, additional blocks of six IP addresses are available for $45. To get started now please click here.

  

ASV Vulnerability Scanning Service

To comply with PCI DSS, service providers must practice an effective and thorough approach to the phenomenon known as patch and vulnerability management. Besides annual PCI compliance, the service provider must present quarterly network perimeter scan results to its acquiring bank.  

The cost of our quarterly ASV vulnerability scanning service is only $45 per year and provides tools that not only accurately and efficiently evaluate internet security but also assess and re-mediate vulnerabilities. The price includes scanning for up to six public IP addresses and unlimited remediation scans. If more than six public IP addresses require scanning, additional blocks of six IP addresses are available for $45. To get started now, please click here.

 

 

If you need help getting started... Contact Us!