PCI-DSS Level 1 services: Merchant vs service provider

What are the differences between a merchant and service provider with regards to PCI-DSS? How can entities comply with PCI-DSS level 1 service certification?

PCI-DSS Level 1 services are part of the requirements that business entities have to comply with.

This is to safeguard their clienteles’ credit and debit card transactions from fraud and data theft.

PCI compliance is divided into levels 1, 2, 3 and 4 depending on the entities total number of transactions annually. 

Payment Card Industry Data Security Standard (PCI-DSS) is ruled by Payment Card Industry Security Standards Council (PCI-SSC). It is a set of security standards that were created in 2004 by the five founding members PCI-SSC.

These are namely MasterCard, Visa, American Express, Discover Financial Services, and JCB International. 

As nearly all businesses these days accept card payments, so as the risks concerning data breach and fraudulent activities. Thus, if you are a business entity about to undergo your PCI compliance, it is best that you first determine the differences between a merchant and a service provider.  

PCI-DSS defines a merchant as…

A merchant is any entity that accepts debit and credit card payments and has the logos of any of the five founders of PCI-SSC. These payments may be for goods, products and/or services. Marchants have signed agreements with their acquiring banks.

Further, they are also given a Merchant Identification Number (MID) by their payment processor before they proceed with accepting card payments. 

Before we proceed in defining what a service provider is, it is also essential to determine the distinction between an acquiring bank and payment processor. 

  • Acquiring bank – this refers to the financial institution that processes the credit and debit card transactions.
  • Payment processor – this refers to a company that serves as a mediator between the business entity and financial institution. In other words, it is an entity that communicates with issuing banks. 

PCI-DSS defines a service provider as…

A service provider is a business entity that is not directly affiliated with the processing, storing or transferring of a cardholder data, and neither is it a payment brand. A payment processor is considered a service provider. 

These are companies that offer services that may risk the security of a cardholder’s data. 

Service providers may also be Managed Services Providers (MSP). These are companies with managed network devices services like firewalls and IDS. Another example are organizations that set up fundraising activities and process transactions on behalf of others. 

PCI-DSS defines both merchant AND service provider as…

It is also important to note that merchants can also be service providers. This happens when merchants accept payment cards which result in processing, storing, and transmitting of the cardholder data. This is on behalf of other merchants and service providers.

Picture of OP360 Team

OP360 Team

OP360 is a leading provider of operational solutions, specializing in delivering tech-driven strategies and solutions that enhance business performance, which include customer support, back-office support, and content moderation.
The Ultimate Guide to Elevating Your Customer Experience
Discover how the powerful blend of AI and human expertise revolutionizes engagement, boosts revenue, and keeps you steps ahead of the competition.
The Ultimate Guide to Elevating Your Customer Experience
Discover how the powerful blend of AI and human expertise revolutionizes engagement, boosts revenue, and keeps you steps ahead of the competition. Download it now!
If you have an HR inquiry, please submit your request here.