PCI defines entities as either Merchants or Service Providers. The distinction between the two types of entities is important as it determines the types of agreements you need with partners and the types of PCI assessment you should get.
It is possible to be both a merchant and a service provider.
The number and types of service providers have grown immensely over the last 10 years. As software-defined infrastructure (the cloud) has exploded, merchants have increasingly adopted and integrated products from service providers.
And, on the Internet, there’s been a move to using 3rd parties for all aspects of payment processing. The largest Internet payment processing is Stripe, which provides digital companies with the ability to accept payments without having to go through all the requirements of PCI.
There are special considerations when merchants work with service providers. In order for a Merchant to use a third-party service provider, the service provider must complete an annual PCI DSS assessment. In cases where the service provider does not do annual PCI DSS assessments, the service provider must allow the merchant to do on-demand assessments and / or the service provider must be included within the scope of the merchant PCI DSS assessment.
Once you know your entity type, you can determine your Level under PCI. The level is important as it determines the type of PCI assessment that you need to do to be in compliance with PCI. A ROC (Report on Compliance) is performed by a PCI qualified assessor (QSA) and an SAQ is a self-assessment performed by the company.
Your PCI level, whether for a merchant or a service provider, is determined by the volume of your transactions per year.
PCI defines two levels of service providers.
PCI defines merchants by the annual volume of transactions. PCI merchant levels are below.
If you're a technology company and your product is used by merchants to process card payments, you are a Service Provider under PCI.