Understanding Various Levels Of Merchants Service Provider

Any Merchant and Service provider Reporting a PCI DSS Compliance by two different validation methods:

A. Self-Assessment Questionnaire (SAQ)

1. SAQ is a validation tool for merchants and service providers to report the results of their PCI DSS self-assessment, if they are not required to submit ROC
2. Includes a series of yes-or-no questions for each applicable PCI DSS requirement
3. Different SAQs available to meet different merchant environments.

B. Onsite Assessment by Qualified Security Assessor

1. Onsite assessment is a validation mechanism for merchants and service providers by a Qualified Security Assessor (QSA)
2. QSA submits the Report on Compliance (ROC) and attestation Of Compliance (AOC)
3. QSA and authorized  person at merchant/service provider entity require to sign the AOC

C. How to identify what applies to your organization? SAQ or Onsite Assessment?

1. If you are a merchant, depends on your annual transactions per year across all channels, payment card brands defined four levels.
2. If you are a service provider, depends on your annual transactions per year across all channels, payment card brands defined two levels.
3. All levels, except Level 1, must complete a self-assessment questionnaire as well as have a quarterly external vulnerability scan using an Approved Scanning Vendor (ASV). 

D. Merchants PCI Compliance Levels:

Definition of Merchant: The entity directly provide service and/or Product to the End customer and get the Money through various channels. Examples like Hotels, Restaurants, Airlines, Hospitals, Online Shopping Portals etc.,

Note: Depends on the Type of SAQ Applicable for your organization, there is a need of performing Internal Vulnerability scans and Penetration testing’s. Read our Blog on Type of SAQ’s.

E. Service Providers PCI Compliance Levels:

Definition of Service Provider: Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of other entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples like Hosting Service Providers, Card Printing Services, Backup Services Providers, Managed Service Providers, Security Management, Contact Centres and/or Back office Processing companies etc.,

Receiving a Report on Compliance (ROC) and validating as a Level 1 Service Provider allows entities to be on Visa’s Global Registry of Approved Service Providers. Which will help the entities recognized  as a Trusted service provider and useful for Pitching for the new business opportunities.