Defining Service Provider Validation Levels

In addition to merchants, PCI DSS validation requirements extend to service providers as well.

According to Visa, service providers are defined as organizations that process, store, or transmit Visa cardholder data on behalf of Visa members, merchants, or other third parties. Card issuers and acquirers are responsible for making sure that their merchants utilize service providers that are compliant with the PCI DSS, even though there might not be a true contract between merchant service providers and acquirers.
MasterCard defines a service provider as an encompassing term for Third Party Processors (TPPs) and Data Storage Entities (DSEs).

According to the MasterCard Web site, Web merchants routinely contract with service providers to "facilitate many business functions, including, but not limited to, offering and selling their content online, payment services, hosting applications and processing."

Visa and MasterCard service providers are responsible for any liability that may occur as a result of non-compliance.

The current Service Provider Levels for Visa and MasterCard are as follows:

• Level 1 Visa - All VisaNet processors (member and Nonmember) and all payment gateways--agent or service provider that stores, processes, and/or transmits cardholder data as part of a payment transaction.
  
  
• Level 2 Visa - Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually.
  
  
• Level 3 Visa - Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually.
  
  
• Level 4 Visa - Merchants processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel processing up to 1,000,000 Visa transactions per year.
  
  
• Level 1 MasterCard - All TPPs and DSE's that store account data on behalf of Level 1 or Level 2 merchants.
  
  
• Level 2 MasterCard - Includes all DSEs that store account data on behalf of level 3 merchants.
  
  
• Level 3 MasterCard - All other DSEs not included in Levels 1 and 2.
  
  
• Level 4 MasterCard - Any other merchant not covered in Level 1, Level 2 and Level 3 compliance qualifications.

The current Visa and MasterCard Service Provider Validation Requirements are as follows:

• Level 1 Visa - Annual On-Site PCI Data Security Assessment and Quarterly Network Scan, validated by a quality Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV).
  
  
• Level 2 Visa - Annual On-Site PCI Data Security Assessment and Quarterly Network Scan, validated by a quality QSA and ASV.
  
  
• Level 3 Visa -Annual PCI Self-Assessment Questionnaire, validated by the service provider and a Quarterly Network Scan, validated by a quality ASV.
  
  
• Level 1 MasterCard - Annual onsite review by merchant's internal auditor or a QSA, and a quarterly network security scan with an ASV.
  
  
• Level 2 MasterCard - Annual onsite review by merchant's internal auditor or a QSA, and a quarterly network security scan with an ASV.
  
  
• Level 3 MasterCard - Annual PCI Self-Assessment Questionnaire, validated by the service provider and a Quarterly Network Scan, validated by a quality ASV.

High Risk Merchant or Service Provider
Any merchant or service provider, who continues to use non-compliant payment applications-applications that store magnetic strip, CVV or CVV2 and PIN data, is considered a High Risk.

If a merchant or service provider is considered High Risk, they will be contacted by the acquirer and no matter the merchant or service provider compliance level, will be subject to an onsite review by an internal auditor or QSA.

Competing Cards: American Express and Discover
As stated earlier in this article, American Express and Discover Card, as of now, do not have actual guidelines or procedures in place, such as Visa and MasterCard have, however they do direct their merchants to follow PCI DSS standards.

As a caveat within the CISP guidelines, Visa and MasterCard reserve the right to require merchants/service providers who process competing cards-most merchants process more than one credit card brand-to adhere to the CISP/PCI guidelines if Visa or MasterCard feels that the merchant has or is compromising credit card data in some way, that there is evidence of a previous hack or attack that compromised data, and if the competing card has transactions that equal a Level 1 merchant.

                    

Print this page

Send this page to a friend

PCI DSS: 5 Guidelines for Gaining PCI Compliance Step 1: An Introduction to PCI Compliance PCI Compliance Introduction Who Put the DSS in PCI? Step 2: Finding The PCI DSS Merchant, Service and Compliance Level Should Your Organization be Concerned about PCI Compliance? PCI DSS: The Visa CISP Program MasterCard SDA Program Defining Merchant Validation Levels Level 4 Merchant Compliance Visa PCI CAP Program Defining Service Provider Validation Levels Acquirer Responsibility Calculating Merchant Transactions PCI DSS: Visa and MasterCard Quick Reference Guide Step 3: Attaining PCI DSS Compliance-Merchant Security Audits: 12 Requirements Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Step 4: Finding a PCI DSS Approved Scanning Vendor (ASV) Do You Need an ASV? Merchant and Service Provider Scanning Requirements Compliance Reporting Visa and Compliance Reporting MasterCard and Compliance Reporting Step 5: Completing the PCI DSS Self Questionnaire Completing the PCI DSS Self Questionnaire PCI Compliance Polls Are you currently PCI Compliant? Yes No Working towards compliance Why are you looking at PCI Compliance Required By Credit Card Processor Required By Bank Want to meet industry standards Looking to secure network What merchant level do you fall under for PCI Compliance? Level 1 Level 2 Level 3 Level 4 I have no idea View PCI Merchant Level Results View All PCI Compliance Poll Results EV SSL Certificate Guide Sponsored Listing: