Service providers are required to become compliant with the PCI DSS if they deliver services to merchants that process, transmit or store payment card data. In Nettitude’s experience it is rare for service providers to be contacted by their acquirer to become compliant. Instead they receive upwards pressure from their clients to achieve PCI DSS compliance.
The matrix below shows the compliance validation requirements by service provider level. These requirements change subtly, based upon the geography and the card brand. However, from a high level perspective, the bandings are as follows.
Level 2 organisations can choose to certify as a level 1 organisation. Through certifying as a level 1 organisation, the service provider is listed on Visa and MasterCard websites as being a PCI compliant service provider. Organisations that certify as a level 2 are unable to be listed on either the Visa or MasterCard websites.