PCI Primer

Lesson 2 | Entities under PCI

Download Lesson PDF

Types of Entities

PCI defines entities as either Merchants or Service Providers. The distinction between the two types of entities is important as it determines the types of agreements you need with partners and the types of PCI assessment you should get.

  1. Merchants accept card payments for products or services. Merchants have a direct relationship with the buyers of their services.
  2. Service Providers provide services and products to store, process, or transmit cardholder data for Merchants.

It is possible to be both a merchant and a service provider.

The number and types of service providers have grown immensely over the last 10 years. As software-defined infrastructure (the cloud) has exploded, merchants have increasingly adopted and integrated products from service providers.

And, on the Internet, there’s been a move to using 3rd parties for all aspects of payment processing. The largest Internet payment processing is Stripe, which provides digital companies with the ability to accept payments without having to go through all the requirements of PCI.

Working with Service Providers

There are special considerations when merchants work with service providers. In order for a Merchant to use a third-party service provider, the service provider must complete an annual PCI DSS assessment. In cases where the service provider does not do annual PCI DSS assessments, the service provider must allow the merchant to do on-demand assessments and / or the service provider must be included within the scope of the merchant PCI DSS assessment.

PCI Levels

Once you know your entity type, you can determine your Level under PCI. The level is important as it determines the type of PCI assessment that you need to do to be in compliance with PCI. A ROC (Report on Compliance) is performed by a PCI qualified assessor (QSA) and an SAQ is a self-assessment performed by the company.

Your PCI level, whether for a merchant or a service provider, is determined by the volume of your transactions per year.

PCI defines two levels of service providers.

  1. Service Provider Level 1 - over 300,000 transactions transmitted per year. ROC required.
  2. Service Provider Level 2 - less than 300,000 transactions transmitted per year. SAQ required.

PCI defines merchants by the annual volume of transactions. PCI merchant levels are below.

  1. Merchant Level 1 - over 6M card transactions per year. ROC required.
  2. Merchant Level 3 - between 20,000 and 1M transactions per year. SAQ required.
  3. Merchant Level 2 - between 1M and 6M transactions per year. SAQ required.
  4. Merchant Level 4 - less than 20,000 transactions per year. SAQ required.

If you're a technology company and your product is used by merchants to process card payments, you are a Service Provider under PCI.