If you’re reading this, you’ve probably been told that you need to be PCI compliant, either by your bank or by your customer. Even if you don’t directly accept credit or debit cards, PCI DSS may still apply to you if you have the ability to affect the security of someone else’s cardholder data environment.
This means if you’re a managed service provider, a data centre, a web hosting provider, or you develop software or applications for one of your customers, PCI DSS might apply to you.
What’s the Difference Between a Service Provider and a Merchant?
Let’s start with the definitions from the PCI Security Standards Council.
Can You Be a Service Provider and a Merchant?
Absolutely! In the definition of a merchant, it specifically states that an entity “that accepts payment cards as payment for goods and/or services can also be a service provider if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers”. So as a hosting provider, you may take credit card payments for your services (making you a merchant), but you are also a service provider for the web hosting services that you provide to your customers who use your services to take payments on their website.
What Does it Really Mean to be a Service Provider?
If you’re a service provider, there are a few key areas that you need to be aware of that are different from your obligations as a merchant.
Transaction Levels and PCI Levels
If you are a service provider, there are only 2 “levels” based on your transaction volumes (rather than the 4 “levels” that are applied to merchants”. This will affect your reporting requirements.
|Merchant Level||Number of Transactions (Annual)||Payment Channel||Assessment Requirements|
|Level 1||6+ Million||All Channels||Annual Onsite Assessment (RoC) by a QSA|
|Level 2||1 - 6 Million||All Channels||Self-Assessment Questionnaire (SAQ) by an ISA|
Onsite assessment by a QSA (MasterCard)
|Level 3||20,000 - 1 Million||E-Commerce||Self-Assessment Questionnaire (SAQ)|
|Level 4||Up to 1 Million||All Channels||Self-Assessment Questionnaire (SAQ)|
|Fewer than 20,000||E-Commerce||Self-Assessment Questionnaire (SAQ)|
Service Provider Levels
|Service Provider Levels||Transaction Volume (Annually)||Assessment Type|
|Level 1||More than 300,000 transactions||Report on Compliance (RoC)|
|Level 2||Fewer than 300,000 transactions||Self-Assessment Questionnaire (SAQ)|
Your transaction level is part of what determines your reporting requirements. Your reporting requirements might also be driven by your bank’s request, the card brands’ request, or your customers’ request. Once you store, process, or transmit more than 300,000 transactions annually, you are required to complete a full report on compliance or RoC which requires a full independent assessment by a QSA. This is much lower than the threshold for a merchant which requires more than 6 million transactions before a RoC is generally required.
If you are able to self-assess, service providers must use SAQ D for Service Providers. Having to use this form does not mean that all requirements are immediately applicable to you. But you will need to review them all to understand which ones are. Sometimes your stakeholders might require an independent assessment to help give them and other interested parties a level of confidence in your organisation’s security practices. As a service provider you cannot use any of the other SAQ forms.
Additional PCI Requirements
Finally, as a service provider you are also expected to comply with some additional requirements. There are approximately 17 additional requirements specific to service providers in PCI DSS v3.2.1. You may also have to comply with Appendix A1 or A2. Once again, you might not have to comply with all of the requirements specific to service providers, and it may only be a sub-set of these requirements depending on the services that you provide.
After Reading All That, Do I Really Have to be Compliant?
In New Zealand, all of the main acquiring banks have a requirement as part of the merchant agreements that merchants must be PCI compliant.
Merchants are not currently required to use PCI compliant service providers. However, your bank or the card brands may mandate that you only use compliant service providers.
If you are a service provider and you are not compliant as such, your customer will need to include you within the scope of their own assessment. This means that an assessor will need to interview your staff, review system configurations, and review documentation to ensure that the customer’s services are being provided in a complaint manner.
If you have several customers who have PCI DSS requirements, you may find that it is more cost effective to undertake an assessment as a service provider. The result is that rather than being included in each of your customers’ assessments, you would only need to provide a copy of your Attestation of Compliance to your customers annually once your PCI assessment is completed.