PCI Service Provider Levels

Service providers are organizations that process, store, or transmit Visa cardholder data on behalf of Visa clients, merchants, or other service providers. Service provider levels are defined as:

Service Provider Level Description
1 VisaNet processors or any service provider that stores, processes and/or transmits over 300,000 Visa transactions annually
2* Any service provider that stores, processes and/or transmits less than 300,000 Visa transactions annually.

*Effective February 1, 2009, Level 2 service providers will not longer be listed on Visas’ List of PCI DSS Compliant Service Providers. Entities that wish to be on the Global List of PCI DSS Validated Service Providers must validate as a Level 1 provider.

In addition to adhering to the PCI DSS, compliance validation is required for all service providers.

Level Validation Action Validated By
1 * Annual On-Site PCI Data Security Assessment
* Quarterly Network Scan
* Qualified Security Assessor
* Approved Scanning Vendor quarterly scans
2 * Annual PCI Self-Assessment Questionnaire
* Quarterly Network Scan
* Service Provider (QSA for Canada)
* Approved Scanning Vendor for quarterly scans