Rules of thumb for determining if entity is a Service Provider #pcidss

It's sometimes very difficult to determine who qualifies as a "Service Provider" according to the payment card companies. Especially when you are talking about complex third-party relationships in which payment card information might be exchanged.

After some in-depth research I did on this topic, and conversations with an acquirer, I put together these two rules of thumb. These have helped me to understand where the card brands are coming from in their determination of service providers.

  • If the organization takes orders for a third-party firm and then passes on payment information to that third-party and that third-party uses their own merchant ID to process the transaction, then the organization is probably a 'service provider' according to card brands rules.  
  • If the organization acts as a repository for payment card information and a third-party obtains this information from the organization in order to process transactions and the third-party uses their own merchant ID, then the organization is probably a 'service provider' according to card brands rules.

These are, of course, rules of thumb and not the actual rules of classification. For formal guidance and requirements for Service Providers, you may find these helpful.

Visa: http://usa.visa.com/merchants/risk_management/cisp_service_providers.html

MasterCard: http://www.mastercard.com/us/sdp/serviceproviders/serviceprovider_levels.html

 

Posted via email from ken5m1th

No comments:

Post a Comment