855.519.7328

PCI DSS Service Provider Levels & Validation

 

The information provided below represents the specific requirements from all the major payment brands; Visa, MasterCard, American Express, Discover, and JCB International concerning service provider transaction volumes, identifying what levels a service provider is for purposes of compliance, along with validation requirements for each service provider, based on transaction volume.

 

Visa Service Provider Level & Validation Requirements:

As defined by Visa, Service providers are organizations that process, store, or transmit Visa cardholder account or transaction information on behalf of Visa clients, merchants, or other service providers. Service provider levels are defined as follows:

Level 1:

  • VisaNet processors or any service provider that stores, processes and/or transmits over 300,000 Visa transactions per year

Validation Requirements:

  • Annual On-Site PCI Data Security Assessment
  • Quarterly Network Scan

Validation By:

  • Qualified Security Assessor
    Approved Scanning Vendor

Level 2:

  • Any service provider that stores, processes and/or transmits less than 300,000 Visa transactions per year

Validation Requirements:

  • Annual PCI Self-Assessment Questionnaire
    Quarterly Network Scan

Validation By:

  • Service Provider
    Approved Scanning Vendor

Validation procedures and documentation

  • PCI DSS compliance validation is required every 12 months for all Level 1 and Level 2 service providers. Validation requirements are listed below.

Validation Requirements:

  • Third Party Agents: Level 1 Service Providers not directly connected to Visa are required to submit an Attestation of Compliance (AOC), signed by both parties. Visa reserves the right to request the full Report on Compliance (ROC), and will do so on occasion to verify appropriate content. Level 2 Service Providers must submit a signed SAQ-D or an AOC including a Qualified Security Assessors (QSA) signature for revalidation.
  • Visa Clients, VisaNet Processors and Visa Vendors: Client banks, processors directly connected to Visa, and vendors providing services to Visa must validate compliance by submitting the full (ROC) and the AOC signed by both parties. ROCs must be sent securely via PGP encryption. If PGP is not available, please contact Visa at pcirocs@visa.com to discuss an alternative submission method.

MasterCard Service Provider Level & Validation Requirements:

MasterCard requires all Service Providers to be PCI Compliant. All Third Party Processors (TPPs) are considered Level 1 Service Providers. Data Storage Entities (DSEs) are categorized as Level 1 or Level 2 Service Providers based on annual MasterCard transaction volume.

  • Based on level, please review the Service Provider validation requirements and engage an Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA) as necessary.
  • Once compliant, please submit a signed Attestation of Compliance (AOC); or for those SAQ eligible, please submit the SAQ D AOC and latest clean scan to MasterCard at pcireports@mastercard.com

Level 1:

  • All Third Party Processors (TPPs)
  • All Data Storage Entities (DSEs) with more than 300,000 total combined MasterCard and Maestro transactions annually

Validation Requirements:

  • Annual Onsite Assessment conducted by a QSA
  • Quarterly Network Scan conducted by an ASV

Validation By:

  •  PCI Qualified Security Assessor (PCI QSA).
  • Quarterly network scans must be conducted by a PCI SSC ASV.

Level 2:

  • All DSEs with 300,000 or less total combined MasterCard and Maestro annual transactions annually

Validation Requirements:

  • Annual Self-Assessment
  • Quarterly Network Scan conducted by an ASV

Validation By:

  • Quarterly network scans must be conducted by a PCI SSC ASV.

 

 

How We Support PCI DSS Service Providers

 

Praetorian Secure can support service providers with identifying their level an validation requirements along with meeting the validation requirements as we are a PCI QSA Company with certified Payment Card Industry Qualified Security Assessor consultants.

In addition, we have arranged ASV relationships to ensure an efficient compliance offering without the hassles of vetting multiple vendors.  We are have existing partnerships with PCI SSC Payment Card Industry Approved Scanning Vendors.  All reports showing compliance with internal and external vulnerability requirements will be viewable and reported from one central console. The ASV Partner will schedule and execute scanning on your behalf then after a compliant scan provide an attestation all in parrallel to our PCI QSA Service Offering.

 

Related Services We Offer: