I have a PCI compliance question for you, specifically around the level of certification required in a certain scenario. If a service provider has a number of customers with each one handling fewer than 6 million transactions, but as a whole (customers combined) the service provider is handling more than 12 million transactions, should that service provider have Level 1 PCI certification?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The PCI certification levels used to determine PCI DSS compliance validation requirements for service providers are actually determined in a manner that is completely separate and distinct from those used to rate merchants. Service provider leveling is conducted by each card brand using rules specific to the card brand and the region.
For example, Visa divides service providers into two levels. Level 1 Service Providers include all VisaNet providers as well as any service provider that stores, processes and/or transmits over 300,000 Visa transactions annually (aggregated across all customers). Level 2 Service Providers are all others -- that is, those who store, process or transmit fewer than 300,000 Visa transactions annually.
MasterCard USA also uses two levels, but differentiates in a slightly different way from Visa. Level 1 Service Providers include all third-party processors, regardless of transaction volume. Those service providers that serve only as data storage entities are classified as Level 1 if they have more than 300,000 total combined MasterCard and Maestro transactions annually. Level 2 Service Providers include data-storage-only entities with fewer than 300,000 annual transactions.
As you can see, the rules here are nuanced and complex. To answer your question directly, service providers do not need to worry about the per-customer counts when calculating their transaction volume. The card brand rules differ from brand to brand and region to region, but they all use aggregate transaction volumes across all customers. In this case, the service provider processing 12 million transactions would clearly fall into the Level 1 category.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading