Are you a merchant, a service provider or both? Learn how to identify your PCI compliance level.
If you deal with payment transactions you’ve probably been required to comply with PCI DSS standards, either by your bank or by your customers. You don’t even need to accept credit or debit card payments directly. Your PCI DSS compliance depends on your ability to affect the security of someone else’s cardholder data. Namely, if you are a data center, a web hosting provider, or even a software developer, PCI DSS might apply to you.
PCI DSS distinguishes two main types of entities covered by its requirements:
It is necessary to understand your business type to comply with PCI DSS. In one of our previous articles, you may have read about the main elements of PCI DSS compliance. Here, we are going to explain more about how an organization’s status and level define what elements of PCI DSS requirements apply to them.
The main players in the PCI DSS environment are merchants and service providers. PCI Security Standards Council – a council that consists of major payment card giants, including American Express, Discover, JCB, Mastercard, and Visa – defines both as follows:
A merchant is any entity that accepts payment cards of any of the five brands (mentioned above) as payment for goods and/or services. Identifying your business as a merchant is relatively easy. If you have a merchant agreement with an acquiring bank – you are a merchant within the PCI DSS scope. Every merchant obtains a merchant identification number (MID) – a unique code that allows the processing of card payments.
A service provider is any entity that is not a payment brand but is directly involved in the storage, processing, or transmission of cardholder data on behalf of another entity. Service providers also include service providers that control or could impact the security of cardholder data (for example, managed firewalls, hosting providers, etc.).” In simple terms, service providers are defined as third-party vendors who assist merchants with the storage, processing, or, and transmission of cardholder data.
If a company provides a service that involves only the provision of public network access, PCI DSS would not consider it as a service provider. An example is a telecommunication company providing a communication link.
A merchant that accepts card payments can also be a service provider if the products sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an web hosting services provider is a merchant, because it accepts payment cards for monthly billing. But it may also be a service provider if it hosts merchants as customers.
The Security Standards Council differentiates 4 merchant levels:
Level 1 merchants process the greatest volumes of card transactions each year. So, they must undergo an annual PCI DSS assessment by a Qualified Security Assessor (QSA). As a result of the assessment, the merchant obtains a Report on Compliance (RoC) from their third-party assessor. The merchant is also required to submit regular network scans by the Approved Scanning Vendors (ASV) to demonstrate compliance. Hence the formula for success for PCI Merchant Level 1 looks like QSA + RoC + ASV.
If you are confused with all these abbreviations above, just read our article RoC, AoC, And Other Elements Of PCI DSS Compliance.
Level 2 merchants also must undergo a third-party PCI DSS assessment on annual basis. They also get the Report on Compliance as a result of the assessment and must submit ASV scans quarterly. In some cases, however, Level 2 merchants may be eligible to complete a Self-Assessment Questionnaire (SAQ) instead of RoC. This depends on the particular card brand requirements. Level 2 Merchants should remember the following – QSA + RoC/SAQ + ASV
Level 3 merchants don’t need to undergo third-party security assessments. They conduct self-assessments using a Self-Assessment Questionnaire (SAQ). They must also complete an Attestation of Compliance (AoC) attesting to the results of their assessment. Like Level 1 and 2 merchants, Level 3 merchants must also submit quarterly ASV scans. The pattern to remeber for Merchants Level 3 is SAQ + AoC + ASV
Depending on the particular card brand requirements, Level 3 merchants may be responsible for meeting the requirements of another level. For instance, if the merchant falls victim to a data breach that impacts cardholder information, it may be penalized and be mandated to meet the PCI Merchant Level 1 requirements.
Level 4 merchants have no reporting requirements. Their transaction volumes are low and, therefore, their security risk is considered to be low. They only need to complete SAQ on an annual basis.
Similar to merchants, Service Providers also have PCI compliance levels which are based on the number of transactions they complete per year. There are only two levels of PCI compliance for the service providers:
Level 1 service providers must undergo a third-party PCI DSS assessment by a Qualified Security Assessor (QSA) on annual basis and get a Report on Compliance (ROC) as a result of this assessment. It also requires a Quarterly network scan conducted by an Approved Scan Vendor (ASV). The requirements also call for an Attestation of Compliance (AOC). Thus, the formula for meeting the PCI Merchant Level 1 requirements is QSA + RoC + ASV.
It requires an Annual Self-Assessment Questionnaire and Quarterly network scan by an Approved Scan Vendor (ASV). The requirements also call for an Attestation of Compliance (AOC). The compliance formula is clear – QSA+AoC+ASV.
Both merchants and service providers should maintain PCI compliance as their card processing agreements direct. Non-complaince can result in substantial fines for agreement violations and negligence. More importantly, those without it are more likely experience payment card data breaches.
So, secure your systems, stay PCI DSS compliant, and feel free to contact Planet 9 if you have any questions. We’ll be happy to assist!