PCI-DSS Level 1 services are part of the requirements that business entities have to comply with.
This is to safeguard their clienteles’ credit and debit card transactions from fraud and data theft.
PCI compliance is divided into levels 1, 2, 3 and 4 depending on the entities total number of transactions annually.
Payment Card Industry Data Security Standard (PCI-DSS) is ruled by Payment Card Industry Security Standards Council (PCI-SSC). It is a set of security standards that were created in 2004 by the five founding members PCI-SSC.
These are namely MasterCard, Visa, American Express, Discover Financial Services, and JCB International.
As nearly all businesses these days accept card payments, so as the risks concerning data breach and fraudulent activities. Thus, if you are a business entity about to undergo your PCI compliance, it is best that you first determine the differences between a merchant and a service provider.
PCI-DSS defines a merchant as…
A merchant is any entity that accepts debit and credit card payments and has the logos of any of the five founders of PCI-SSC. These payments may be for goods, products and/or services. Marchants have signed agreements with their acquiring banks.
Further, they are also given a Merchant Identification Number (MID) by their payment processor before they proceed with accepting card payments.
Before we proceed in defining what a service provider is, it is also essential to determine the distinction between an acquiring bank and payment processor.
- Acquiring bank – this refers to the financial institution that processes the credit and debit card transactions.
- Payment processor – this refers to a company that serves as a mediator between the business entity and financial institution. In other words, it is an entity that communicates with issuing banks.
PCI-DSS defines a service provider as…
A service provider is a business entity that is not directly affiliated with the processing, storing or transferring of a cardholder data, and neither is it a payment brand. A payment processor is considered a service provider.
These are companies that offer services that may risk the security of a cardholder’s data.
Service providers may also be Managed Services Providers (MSP). These are companies with managed network devices services like firewalls and IDS. Another example are organizations that set up fundraising activities and process transactions on behalf of others.
PCI-DSS defines both merchant AND service provider as…
It is also important to note that merchants can also be service providers. This happens when merchants accept payment cards which result in processing, storing, and transmitting of the cardholder data. This is on behalf of other merchants and service providers.