| S | M | T | W | T | F | S |
|---|---|---|---|---|---|---|
| « Feb | ||||||
| 1 | 2 | 3 | 4 | 5 | 6 | |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 | 31 | |||
- February 7, 2007: New Techniques for Guarding Financial Data
- February 6, 2007: Increased Scrutiny From Card Associations in 2007
- January 28, 2007: The State of PCI Compliance 2007
- January 23, 2007: Background Checks on IT Personnel
- January 5, 2007: 100 Million Notifications of Data Breaches in US
- December 17, 2006: Inside Jobs: The Risk of Data Breach From Insider Threats
- December 12, 2006: Card Associations Step Up PCI Enforcement
- December 1, 2006: CompTIA Survey Emphasizes Importance of Security Training
- December 1, 2006: CompTIA Survey Emphasizes Importance of Security Training
- November 16, 2006: Average data breach costs $5 million
Credit Card Companies
FAQ
Helpful Sites
PCI Compliance for Service Providers FAQ
What is a PCI Service Provider?
Any company that stores, processes, or transmits cardholder data on behalf of another entity is defined to be a Service Provider by the Payment Card Industry (PCI) guidelines. Visa’s website provides the clearest information about how the PCI Data Security Standard (DSS) applies to Service Providers. However, Visa is just one of the companies participating in PCI, so a Service Provider must understand and adhere to the security program for all major credit card companies with its own set of requirements for compliance and registration.
How do we know what Service Provider Level we fit in?
Each of the credit card companies that participate in PCI has its own rules that define Service Provider Levels. For example, Visa, whose rules are available on its CISP for Service Providers page, defines the levels based on the number of annual transactions. However, there is one very important distinction in Visa’s rules that is overlooked by many service providers. By Visa’s definition, any service provider that stores, processes, and/or transmits cardholder data as part of a payment transaction is a Level 1 Service Provider. So in other words, a company that has access to cardholder data as part of a payment is automatically defined to be Level 1.
MasterCard is also very clear in defining the levels for Service Providers for its SDP program. MasterCard defines two categories of Service Providers: Third Party Processors (TPP) and Data Storage Entities (DSE). The Service Provider Levels Defined page defines all Third Party Processors to be Level 1.
What are the requirements for becoming a Level 1 Service Provider in compliance with the PCI DSS?
There are two primary qualifications of a PCI Level 1 Service Provider. The first is the successful completion of an On-Site PCI Data Security Assessment that is validated by a Qualified Security Assessor. To pass the Data Security Assessment, the company must demonstrate compliance with 100% of the requirements detailed in the PCI Security Audit Procedures, which contains over 250 specific points of compliance. The second qualification is successful completion of a PCI Security Scan by an Approved Scanning Vendor. Given the complexity of meeting the requirements, the compliance process often takes more than one year to complete.
May 5, 2009 at 10:16 am
Hi,
I realise that this is an old entry but you say
>By Visa’s definition, any service provider that stores, processes,
>and/or transmits cardholder data as part of a payment transaction
>is a Level 1 Service Provider. So in other words, a company that
>has access to cardholder data as part of a payment is automatically
>defined to be Level 1.
I’ve had a look at the linked Visa article and can’t see how you are coming to this conclusion.
Maybe the linked article has changed since?
Paschal.
May 5, 2009 at 10:36 am
Visa has changed their definitions of service providers. The current info is on this page on Visa’s site:
http://usa.visa.com/merchants/risk_management/cisp_service_providers.html
As noted on this page, this now deletes the use of “gateway” as part of the definition. This was always an incredibly confusing and ambiguous term. I had actually spoken with the leader of the CISP compliance team years ago about this definition. That’s when I made the post that you are referring to.
Now, SP’s are strictly classified by volume. However, a level 2 provider does not have to have an independent audit. Practically speaking, this means that they have not had their compliance validated. From a competitive standpoint, I think that a level 2 SP would have a very difficult time competing in a market with level 1 SP’s.
Thanks for your comments. I am hoping to resurrect this blog soon and resume regular posts.