I have a PCI compliance question for you, specifically around the level of certification required in a certain
scenario. If a service provider has a number of customers with each one handling fewer than 6 million transactions, but as a whole (customers combined) the service provider is handling more than 12 million transactions, should that service provider have Level 1 PCI certification?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The PCI certification levels used to determine PCI DSS compliance validation requirements for service providers are actually determined in a manner that is completely separate and distinct from those used to rate merchants. Service provider leveling is conducted by each card brand using rules specific to the card brand and the region.
For example, Visa divides service providers into two levels. Level 1 Service Providers include all VisaNet providers as well as any service provider that stores, processes and/or transmits over 300,000 Visa transactions annually (aggregated across all customers). Level 2 Service Providers are all others -- that is, those who store, process or transmit fewer than 300,000 Visa transactions annually.
MasterCard USA also uses two levels, but differentiates in a slightly different way from Visa. Level 1 Service Providers include all third-party processors, regardless of transaction volume. Those service providers that serve only as data storage entities are classified as Level 1 if they have more than 300,000 total combined MasterCard and Maestro transactions annually. Level 2 Service Providers include data-storage-only entities with fewer than 300,000 annual transactions.
As you can see, the rules here are nuanced and complex. To answer your question directly, service providers do not need to worry about the per-customer counts when calculating their transaction volume. The card brand rules differ from brand to brand and region to region, but they all use aggregate transaction volumes across all customers. In this case, the service provider processing 12 million transactions would clearly fall into the Level 1 category.
Dig deeper on PCI Data Security Standard
Related Q&A from Mike Chapple, Enterprise Compliance
Should companies obtain U.S. security clearance to join the Enhanced Cybersecurity Services program? Mike Chapple offers his perspective.continue reading
Does a Web application security assessment termed 'compliance ready' seem too good to be true? Learn its role in an enterprise compliance program.continue reading
Learn how hiring the right PCI DSS-compliant service providers, especially payment services providers, can reduce your compliance burden.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.