PCI Service Provider Requirements

0Tolerance is a listed Payment Card Industry (PCI) Qualified Security Assessor (QSA) and can help you understand the PCI Service Provider requirements.

PCI Service Provider Requirements

The PCI Data Security Standard (PCI DSS) is a contractual requirement set forth by the PCI Security Standards Council (PCI SSC) to protect cardholder data. It applies to any organization that stores, processes, or transmits cardholder data, regardless of the size or number of transactions. It also applies to organizations that impact the security of card transactions. The PCI DSS protects cardholder data by requiring organizations to implement security controls and best practices. Level 1 organizations must undergo annual third-party Qualified Security Assessor (QSA) audits to ensure that their security controls are effective and comply with the PCI DSS.

In the context of the PCI DSS, service providers are organizations that provide services to other organizations that handle cardholder data. Examples of service providers include payment processors, hosting providers, and managed service providers. Service Providers can be either Level 1 or Level 2. All Level 1 Service Providers must undergo a third-party QSA audit annually. Level 2 Service Providers have options for a third-party QSA audit or the Self-Assessment Questionnaire Type D for Service Providers.

 PCI Penetration Testing Requirements

Must be performed by a qualified resource, free of conflict of interest with the organization.

Who needs it?

• All Service Providers must undergo a full annual pen test.
• All Service Providers must undergo a second annual pen test for segmentation testing purposes (6 months from the full test).

PCI External Vulnerability Scanning Requirements

Must be performed by a PCI Approved Scanning Vendor.

Who needs it?

• All Service Providers

PCI Internal Vulnerability Scanning Requirements

Who needs it?

• All Service Providers