“Ask the QSA”
Question: My organization is an online service provider. Our customers are merchants (i.e., our customers are receiving the payment through our servers) and the credit card payment storage is done by a Level 1 PCI DSS Validated third party. Does my organization have to be PCI compliant?
Answer: Since your organization processes and/or transmits credit card data, your organization is required to be PCI compliant. And, like the third party that stores your credit card data, your organization also aligns with the PCI Security Standards Council’s definition of a “service provider”:
Any business entity that is not a payment brand and is directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data.
As a service provider, you may want to consider completing a PCI DSS Level 1 assessment, which would involve validating your organization’s PCI compliance status utilizing a Qualified Security Assessor (QSA). Even if your business is not subject to Level 1 Service Provider requirements, validated compliance via a QSA assessment demonstrates a strong security posture and dedication to information security to your clients.
Here are some links for further reading on this topic:
- PCI Compliance and the Service Provider: https://www.pcicomplianceguide.org/pci-compliance-and-the-service-provider/
- How to Select a PCI-Compliant Service provider: https://www.pcicomplianceguide.org/how-to-select-a-pci-compliant-service-provider-advice-for-small-business-owners/