Payments Brand Rules Summary

Document created by james.elkin@worldpay.com on Feb 19, 2020
Version 1Show Document
  • View in full screen mode

Mastercard and Visa Service Provider Levels and PCI SSC Validation Requirements

 

Service Provider: Any entity that stores, processes or transmits cardholder data OR has the ability to impact the security of a merchant’s cardholder data environment must comply and annually validate compliance with the PCI Data Security Standard. Service Providers are divided into two categories, level 1 and level 2.

 

 

Entities include:

  • Third Party Processor
  • Staged Digital Wallet Operator
  • Digital Activity Service Provider
  • Token Service Provider
  • 3-D Secure Service Provider
  • Data Storage Entity ***
  • Payment Facilitator
  • Terminal Servicer ***
  • Independent Sales Organization **
  • Merchant Servicer
  • Third Party Servicer

 

Validation Action:

  • Level 1 – Processing, storing or transmitting more than 300,000 transactions annually with all merchants combined
    • Annual On-Site PCI Data Security Assessment by a Qualified Security Assessor (QSA)
    • Quarterly Vulnerability Scans
    • Attestation of Compliance (AOC) signed by the QSA and service provider
  • Level 2 - Processing, storing or transmitting fewer than 300,000 transactions annually with all merchants combined
    • Quarterly Vulnerability Scans
    • Annual PCI Self-Assessment Questionnaire (SAQ D-SP)
    • Attestation of Compliance (AOC) signed by the service provider
    • Optional -Annual On-Site PCI Data Security Assessment by a Qualified Security Assessor (QSA)

 

** If they have the ability to impact the security of the merchant’s cardholder data environment
*** Mastercard only; typically treated as Level 2 SP for validation purposes

Attachments

    Outcomes