PCI: Level 1 and Level 2 Service Providers

 In the vast world of PCI, service providers can qualify as either level 1 or level 2 providers depending on a few different factors.  You may be asking yourself, “What exactly is a service provider?”  Visa defines service providers as, “organizations that process, store, or transmit Visa cardholder data on behalf of Visa clients, merchants, or other service providers.”  Although this is a statement from Visa, the other card brands have a very similar definition.  The basic difference in provider level is the amount of transactions processed by the service provider. 

 

Below are the requirements by Visa and Mastercard:

 


 

Service Provider
Level

Description

1

 

Any service provider that stores, processes and/or transmits over 300,000 transactions annually

2

Any service provider that stores, processes and/or transmits less than 300,000 transactions annually

 


 

 

These two different service provider levels also have slightly different compliance validation requirements:

 


 

Service Provider
Level

Validation Action

Validated By

1

  • Annual On-Site PCI Data Security Assessment
  • Quarterly Network Scan by an Approved Scanning Vendor
  • Qualified Security Assessor
  • Approved Scanning Vendor

 

2

  • Annual PCI Self-Assessment Questionnaire
  • Quarterly Network Scan by an Approved Scanning Vendor
  • Service Provider
  • Approved Scanning Vendor

 


 

Leave a Reply

Log in