The following is a guest post by Rob Harvey. Rob is a Consulting Manager inside the PCI practice at VeriSign.

‘Tis the season!

Everyone is in the giving mode this time of the year and VISA is no different. VISA announced in the last month a change in the service provider validation levels and reporting. It is also the season for reflecting on the past year and one of the biggest questions we get from our clients is, “Am I a service provider and if so what level do I need to validate against?”

Beginning February 2009, VISA will use a modified two level approach for service providers which I hope will add clarity to the question. See the information on VISA’s website.

“Am I a service provider?” By definition from VISA, service providers are organizations that process, store, or transmit Visa cardholder data on behalf of Visa clients, merchants, or other service providers. Some examples of service providers are transaction processors, payment gateways, Independent Sales Organizations (ISO) or External Sales Agents (ESA), credit reporting services, customer service functions, plastic card embossing, remittance processing, managed security service providers, and hosting providers.

This past week proved my point that organizations may not realize they are acting as a service provider in addition to their merchant obligations. Management for a L3 merchant (~750,000 annual ecommerce transactions) knew they needed to comply with the PCI DSS but only to submit a questionnaire and quarterly scanning to their acquirer for validation. After further review, they offer payment gateway services to their direct sales consultants (read: independent contractors / merchants).

So, I am a service provider, “What level am I?” VISA offers the following guidance:

  • Level 1 – VisaNet processors or any service provider that stores, processes and/or transmits over 300,000 transactions per year
  • Level 2 – Any service provider that stores, processes and/or transmits less than 300,000 transactions per year

VISA combined levels 1 and 2 in addition to lowering the amount transactions from million per year to 300,000. This change means that many service providers that could self assess are now elevated to Level 1 status, requiring a full on-site assessment.

If this is a revelation that you were not ready for, drop us a line! We can help!

This post originally appeared on

Possibly Related Posts: