A service provider is defined as a company that mediates in the processing, storage or transmission of credit card data and does not directly receive credit card data from the end customer.
They are also businesses that provide services that control or affect the security of card data. For example, service providers are payment channels such as Paypal and bank payment platforms, hotel booking engines, etc.
Service providers are required to comply with the SAQ D SP specifications, which include all the requirements and related security policies that must be implemented by the organization. Many organizations will need to validate their compliance with all of the PCI DSS specifications to meet the SAQ D SP specifications, while some organizations with more specific operating models will only need to validate their compliance with part of it. For example, a company that does not use wireless technology in its infrastructure will not need to validate its compliance with the sections of PCI DSS that refer to the management of wireless technology.
The SAQ D SP for service providers applies to all service providers that are also defined as a payment brand and are eligible to complete an SAQ.
Service providers, based on the number of transactions they have per card brand per year, fall into one of the two levels that exist, which also determine the certification methodology.
Do you want to learn about PCI?
Level 2 Service Providers
Service Providers that carry out up to 300,000 transactions per year
- Annual completion of the Self-Assessment Questionnaire (SAQ D)
- Quarterly ASV Scans
- Penetration Testing
- Internal scans
- Completing the Attestation of Compliance (AoC) form
Level 1 Service Providers
Service Providers that carry out more than 300,000 transactions per year or perform payment services (Payment Service Providers)
- Annual Report on Compliance (RoC) from a Qualified Security Assessor (QSA)
- Quarterly ASV Scans from an Approved Scanning Vendor (ASV)
- Penetration Testing
- Internal scans
