I have a PCI compliance question for you, specifically around the level of certification required in a certain...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
scenario. If a service provider has a number of customers with each one handling fewer than 6 million transactions, but as a whole (customers combined) the service provider is handling more than 12 million transactions, should that service provider have Level 1 PCI certification?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The PCI certification levels used to determine PCI DSS compliance validation requirements for service providers are actually determined in a manner that is completely separate and distinct from those used to rate merchants. Service provider leveling is conducted by each card brand using rules specific to the card brand and the region.
For example, Visa divides service providers into two levels. Level 1 Service Providers include all VisaNet providers as well as any service provider that stores, processes and/or transmits over 300,000 Visa transactions annually (aggregated across all customers). Level 2 Service Providers are all others -- that is, those who store, process or transmit fewer than 300,000 Visa transactions annually.
MasterCard USA also uses two levels, but differentiates in a slightly different way from Visa. Level 1 Service Providers include all third-party processors, regardless of transaction volume. Those service providers that serve only as data storage entities are classified as Level 1 if they have more than 300,000 total combined MasterCard and Maestro transactions annually. Level 2 Service Providers include data-storage-only entities with fewer than 300,000 annual transactions.
As you can see, the rules here are nuanced and complex. To answer your question directly, service providers do not need to worry about the per-customer counts when calculating their transaction volume. The card brand rules differ from brand to brand and region to region, but they all use aggregate transaction volumes across all customers. In this case, the service provider processing 12 million transactions would clearly fall into the Level 1 category.
Related Q&A from Mike Chapple
Web application firewalls may be a way to better security, but organizations need to be aware of the compliance implications of WAFs.continue reading
An SEC report shows over three-quarters of financial institutions were subject to at least one cybersecurity attack. Expert Mike Chapple looks at ...continue reading
The Data Accountability and Trust Act is likely to become a law this year. Expert Mike Chapple advises organizations on how to prepare.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.