If you’re reading this, you’ve probably been told that you need to be PCI compliant, either by your bank or by your customer. Even if you don’t directly accept credit or debit cards, PCI DSS may still apply to you if you have the ability to affect the security of someone else’s cardholder data environment.

This means if you’re a managed service provider, a data centre, a web hosting provider, or you develop software or applications for one of your customers, PCI DSS might apply to you.

What’s the Difference Between a Service Provider and a Merchant?

Let’s start with the definitions from the PCI Security Standards Council.

Merchant

“A merchant is any entity that accepts payments for goods and services.”

Service Provider

“A service provider is any entity that is not a payment brand, that is directly involved in the storage, processing, or transmission of cardholder data on behalf of another entity. Service providers also include companies that provide services that control or could impact the security of cardholder data (for example, managed firewalls, hosting providers, etc.).”

Can You Be a Service Provider and a Merchant?

Absolutely! In the definition of a merchant, it specifically states that an entity “that accepts payment cards as payment for goods and/or services can also be a service provider if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers”. So as a hosting provider, you may take credit card payments for your services (making you a merchant), but you are also a service provider for the web hosting services that you provide to your customers who use your services to take payments on their website.

What Does it Really Mean to be a Service Provider?

If you’re a service provider, there are a few key areas that you need to be aware of that are different from your obligations as a merchant.

Transaction Levels and PCI Levels

If you are a service provider, there are only 2 “levels” based on your transaction volumes (rather than the 4 “levels” that are applied to merchants”. This will affect your reporting requirements.

Merchant Levels

Merchant LevelNumber of Transactions (Annual)Payment ChannelAssessment Requirements
Level 16+ MillionAll ChannelsAnnual Onsite Assessment (RoC) by a QSA
Level 21 - 6 MillionAll ChannelsSelf-Assessment Questionnaire (SAQ) by an ISA
Onsite assessment by a QSA (MasterCard)
Level 320,000 - 1 MillionE-CommerceSelf-Assessment Questionnaire (SAQ)
Level 4Up to 1 MillionAll ChannelsSelf-Assessment Questionnaire (SAQ)
Fewer than 20,000E-CommerceSelf-Assessment Questionnaire (SAQ)

Service Provider Levels

Service Provider LevelsTransaction Volume (Annually)Assessment Type
Level 1More than 300,000 transactionsReport on Compliance (RoC)
Level 2Fewer than 300,000 transactionsSelf-Assessment Questionnaire (SAQ)

Reporting Requirements

Your transaction level is part of what determines your reporting requirements. Your reporting requirements might also be driven by your bank’s request, the card brands’ request, or your customers’ request. Once you store, process, or transmit more than 300,000 transactions annually, you are required to complete a full report on compliance or RoC which requires a full independent assessment by a QSA. This is much lower than the threshold for a merchant which requires more than 6 million transactions before a RoC is generally required.

Self-Assessing

If you are able to self-assess, service providers must use SAQ D for Service Providers. Having to use this form does not mean that all requirements are immediately applicable to you. But you will need to review them all to understand which ones are. Sometimes your stakeholders might require an independent assessment to help give them and other interested parties a level of confidence in your organisation’s security practices. As a service provider you cannot use any of the other SAQ forms.

Additional PCI Requirements

Finally, as a service provider you are also expected to comply with some additional requirements. There are approximately 17 additional requirements specific to service providers in PCI DSS v3.2.1. You may also have to comply with Appendix A1 or A2. Once again, you might not have to comply with all of the requirements specific to service providers, and it may only be a sub-set of these requirements depending on the services that you provide.

After Reading All That, Do I Really Have to be Compliant?

In New Zealand, merchants are not currently required to use PCI compliant service providers. However, your bank or the card brands may mandate that you only use compliant service providers.

If you are a service provider and you are not compliant as such, your customer will need to include you within the scope of their own assessment. This means that an assessor will need to interview your staff, review system configurations, and review documentation to ensure that the customer’s services are being provided in a complaint manner.

If you have several customers who have PCI DSS requirements, you may find that it is more cost effective to undertake an assessment as a service provider. The result is that rather than being included in each of your customers’ assessments, you would only need to provide a copy of your Attestation of Compliance to your customers annually once your PCI assessment is completed.

Need Help?

Regardless of whether you’re a merchant or a service provider, Confide can help you with your PCI compliance. Talk to us to see how we can help you.