Requirements of Service Provider | PCI DSS Service Provider Levels

July 27, 2009

Requirements of Service Providers for Payment Card Industry Data Security Standards (PCI DSS) compliance are as follows:

VISA (Levels 1 to 3):

  • Annual onsite review by QSA
  • Quarterly network scan by ASV
  • Annual Self-Assessment Questionnaire
    (Canada: SAQ required and must be reviewed by QSA)

American Express (AMEX):

  • Annual on-site review by QSA (or internal auditor if signed by officer of merchant company)
  • Quarterly network scan by ASV

Discover:

Quarterly network scans by ASV AND one of the following:

  • Annual on-site review by QSA (or internal auditor if signed by officer of Service Provider)
  • Annual self-assessment questionnaire

JCB:

  • TPP validation requirements will be outlined in forthcoming JCB rules and regulations.

MasterCard:

  • Level 1 SP’s: Annual on-site review by QSA AND Quarterly network scan by ASV
  • Level 2 SP’s: Annual self-assessment questionnaire AND Quarterly network scan.

To learn more about Payment Card Industry Data Security Standards (PCI DSS) compliance, visit the official PCI DSS Resource Guide.

PCI DSS Requirements

Does your business meet the 12 requirements for achieving PCI DSS compliance?

  • Do you maintain a secure network?
  • How well do you protect cardholder data
  • What are your access control measures?

Learn about all 12 PCI DSS requirements