WithPCI Logo
WithPCI.com

Compliance for Level 1 Service Providers: Requirements and Attestation

Level 1 service providers represent the highest tier in the PCI DSS compliance hierarchy for businesses that process cardholder data on behalf of other entities. These organizations handle large volumes of transactions annually and must adhere to the most stringent security and validation requirements. This document provides a comprehensive overview of the PCI DSS obligations for Level 1 service providers, including validation methods, assessment procedures, and Attestation of Compliance (AoC) requirements.

Who Qualifies as a Level 1 Service Provider?

A Level 1 service provider is defined as any business entity that stores, processes, or transmits more than 300,000 credit card transactions annually on behalf of other entities. This classification applies to organizations such as payment processors, payment gateways, hosting providers, and managed service providers that have access to cardholder data environments or could impact the security of cardholder data.

According to Mastercard's classification, Level 1 service providers include "All DSE's that store, transmit, or process greater than 300,000 total combined MasterCard and Maestro transactions annually". Similarly, Visa classifies Level 1 service providers as "VisaNet processors or any service provider that stores, processes and/or transmits over 300,000 Visa transactions annually".

Eligibility Criteria for Level 1 Service Provider Classification

Level 1 Service Provider status applies to entities that face the highest scrutiny under PCI DSS due to their transaction volume, operational characteristics, and potential impact on payment security.

Transaction Volume Threshold

The primary qualification for Level 1 Service Provider classification is processing over 300,000 payment card transactions annually. This threshold applies to service providers that store, process, or transmit cardholder data on behalf of other entities.

Examples of qualifying entities:

  • Payment gateways processing transactions for merchants
  • Managed service providers with access to cardholder data environments
  • Hosting providers that store cardholder data
  • Software as a Service (SaaS) providers handling payment information

Card brands monitor transaction volumes through their networks, automatically categorizing service providers exceeding this threshold as Level 1.

Service Provider Categories

Service providers are categorized as Level 1 or Level 2 based on their service provider category and annual transaction volume. Unlike merchants who deal directly with customers, service providers are business entities that aren't payment brands but are directly involved in processing, storing, or transmitting cardholder data on behalf of another business.

Additional Classification Factors

Beyond transaction volume, service providers may be classified as Level 1 based on:

  • The nature of services provided that may impact cardholder data security
  • Previous security incidents or breaches
  • Discretionary designation by payment card brands

Key PCI DSS Compliance Requirements for Level 1 Service Providers

1. Annual Report on Compliance (ROC)

  • Validation Method: Level 1 service providers must undergo a full onsite PCI DSS assessment each year.
  • Who Conducts the Assessment: This assessment must be performed by a Qualified Security Assessor (QSA) approved by the PCI Security Standards Council.
  • Purpose: The ROC is a comprehensive review of the service provider's security controls, policies, and technical environment to ensure full compliance with all PCI DSS requirements.

As stated in the Mastercard requirements, "Level 1 service providers must validate compliance with the PCI DSS annually... by undergoing a PCI assessment resulting in the completion of a ROC conducted by an appropriate PCI SSC-approved QSA".

2. Quarterly Network Scans

  • Requirement: Service providers must have their external networks scanned at least quarterly.
  • Who Performs the Scans: Scans must be conducted by an Approved Scanning Vendor (ASV).
  • Purpose: These scans identify and help remediate vulnerabilities that could be exploited by attackers.

3. Attestation of Compliance (AoC)

  • Requirement: After completing the ROC, Level 1 service providers must submit an AoC form.
  • Purpose: The AoC is a formal declaration of the service provider's PCI DSS compliance status.
  • Availability: Service providers like AWS make their AOC available to customers through platforms like AWS Artifact.

4. Additional Service Provider Requirements

Service providers must implement several specific requirements, including:

  • Written acknowledgment of service provider responsibilities related to the security of customer cardholder data (Requirement 12.9)
  • Secure configuration of all systems used to access customer environments (Requirements 2, 5, and 6)
  • Strong access controls for accounts that access customer environments (Requirements 2.3, 7, and 8)
  • Multi-factor authentication for all remote access to customer cardholder data environments (Requirement 8.3)
  • Logging of access and activities performed on service provider systems (Requirement 10)

Attestation of Compliance (AoC) Signature Requirements

For Level 1 service providers, the AoC carries significant weight and must be signed by multiple parties:

  • QSA Signature: The QSA who conducted the onsite assessment must sign the AoC, verifying that the assessment was thorough and accurate.
  • Executive Signature: A senior executive (such as a C-level officer or authorized company representative) must also sign, affirming the organization's commitment to PCI DSS compliance and accepting responsibility for ongoing adherence.

This dual-signature process ensures both technical and organizational accountability for protecting cardholder data.

Additional Compliance Considerations

  • Designated Entities Supplemental Validation (DESV): "Mastercard recommends that each Level 1 and Level 2 service provider demonstrate to Mastercard its compliance with the Designated Entities Supplemental Validation (DESV) appendix of the PCI DSS".
  • Customer-Provider Relationship: "PCI SSC encourages service providers and their customers to work together to identify which requirements apply to that service and how responsibilities for maintaining security controls are assigned between the two parties". This relationship should include agreements on how compliance information will be shared and what evidence will be provided.
  • PCI DSS 4.0 Compliance: Service providers should ensure they're compliant with the latest version of PCI DSS, which includes "strong authentication requirements and additional data encryption applications".
  • Registration on Approved Service Provider Lists: Validating as a Level 1 Service Provider allows organizations to be listed on Visa's Global Registry of Approved Service Providers, which can be "a powerful marketing tool" for many organizations.
  • Connected-to Service Provider Considerations: Even service providers that don't handle cardholder data directly but connect to customer environments must implement certain PCI DSS requirements.

Consequences of Non-Compliance

Failure to meet PCI DSS requirements can result in significant repercussions for Level 1 service providers:

  • Monetary Fines: Non-compliance can lead to substantial fines, depending on the duration and severity of the non-compliance.
  • Loss of Registration Status: Service providers may lose their ability to be listed on Visa's Global Registry of Approved Service Providers.
  • Increased Exposure to Data Breaches: Non-compliant service providers are more susceptible to cyberattacks, potentially leading to data breaches that affect both the service provider and their clients.
  • Termination of Business Relationships: Clients may terminate relationships with non-compliant service providers to protect their own compliance status and reputation.
  • Legal Implications: Data breaches resulting from non-compliance can lead to legal actions, including lawsuits and penalties that may extend to the service provider's clients.
  • Loss of Revenue and Reputation: Non-compliance can damage a service provider's reputation, leading to loss of client trust and revenue.

Conclusion

Being a Level 1 service provider under PCI DSS means adhering to the strictest security standards in the payment industry. Annual onsite assessments by a QSA, quarterly network scans by an ASV, and a rigorously signed Attestation of Compliance form are all mandatory. By meeting these requirements, Level 1 service providers not only protect themselves and their clients but also contribute to the overall security and trustworthiness of the global payment ecosystem.

For service providers looking to establish themselves as trusted partners in the payments industry, achieving and maintaining Level 1 compliance is essential-not only for meeting regulatory requirements but also as a competitive advantage that demonstrates their commitment to maintaining the highest standards of security for cardholder data.

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy