Answer

Grasping the nuances of PCI certification levels for service providers

I have a PCI compliance question for you, specifically around the level of certification required in a certain scenario. If a service provider has a number of customers with each one handling fewer than 6 million transactions, but as a whole (customers combined) the service provider is handling more than 12 million transactions, should that service provider have Level 1 PCI certification?

    Requires Free Membership to View

Ask the Expert!

Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

The PCI certification levels used to determine PCI DSS compliance validation requirements for service providers are actually determined in a manner that is completely separate and distinct from those used to rate merchants. Service provider leveling is conducted by each card brand using rules specific to the card brand and the region.

For example, Visa divides service providers into two levels. Level 1 Service Providers include all VisaNet providers as well as any service provider that stores, processes and/or transmits over 300,000 Visa transactions annually (aggregated across all customers). Level 2 Service Providers are all others -- that is, those who store, process or transmit fewer than 300,000 Visa transactions annually.

MasterCard USA also uses two levels, but differentiates in a slightly different way from Visa. Level 1 Service Providers include all third-party processors, regardless of transaction volume. Those service providers that serve only as data storage entities are classified as Level 1 if they have more than 300,000 total combined MasterCard and Maestro transactions annually. Level 2 Service Providers include data-storage-only entities with fewer than 300,000 annual transactions.

As you can see, the rules here are nuanced and complex. To answer your question directly, service providers do not need to worry about the per-customer counts when calculating their transaction volume. The card brand rules differ from brand to brand and region to region, but they all use aggregate transaction volumes across all customers. In this case, the service provider processing 12 million transactions would clearly fall into the Level 1 category.

 

This was first published in September 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: