Problem solve Get help with specific problems with your technologies, process and projects.

Grasping the nuances of PCI certification levels for service providers

Expert Mike Chapple explains how card brands differentiate between PCI certification Levels 1 and 2 for service providers.

I have a PCI compliance question for you, specifically around the level of certification required in a certain scenario. If a service provider has a number of customers with each one handling fewer than 6 million transactions, but as a whole (customers combined) the service provider is handling more than 12 million transactions, should that service provider have Level 1 PCI certification?

Ask the Expert!

Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

The PCI certification levels used to determine PCI DSS compliance validation requirements for service providers are actually determined in a manner that is completely separate and distinct from those used to rate merchants. Service provider leveling is conducted by each card brand using rules specific to the card brand and the region.

For example, Visa divides service providers into two levels. Level 1 Service Providers include all VisaNet providers as well as any service provider that stores, processes and/or transmits over 300,000 Visa transactions annually (aggregated across all customers). Level 2 Service Providers are all others -- that is, those who store, process or transmit fewer than 300,000 Visa transactions annually.

MasterCard USA also uses two levels, but differentiates in a slightly different way from Visa. Level 1 Service Providers include all third-party processors, regardless of transaction volume. Those service providers that serve only as data storage entities are classified as Level 1 if they have more than 300,000 total combined MasterCard and Maestro transactions annually. Level 2 Service Providers include data-storage-only entities with fewer than 300,000 annual transactions.

As you can see, the rules here are nuanced and complex. To answer your question directly, service providers do not need to worry about the per-customer counts when calculating their transaction volume. The card brand rules differ from brand to brand and region to region, but they all use aggregate transaction volumes across all customers. In this case, the service provider processing 12 million transactions would clearly fall into the Level 1 category.


This was last published in September 2013

Dig Deeper on PCI Data Security Standard

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.