I was recently asked by one of my clients going through a PCI compliance assessment, if they were a merchant or a service provider? Sounds like a simple question. So, let’s dig deeper.
The PCI Security Standards Council (SSC) defines a merchant this way:
For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.
The PCI Security Standards Council defines a service provider this way:
Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data.
Is your head hurting yet? No? Good, let’s keep going.
If you have a merchant ID with a bank, it’s simple enough to decipher that you are a merchant. But does that mean you are not a service provider? Short answer, no.
Traditional service providers include payment processors, payment gateways, managed POS providers and companies that come into direct contact with card data in the payment process.
So, the question to ask yourself is – are you providing a “service” which your customers are using to protect THEIR cardholder data environment? For example, let’s say my CDE runs on Oracle Cloud. In this case, I am a merchant and Oracle Cloud is the service provider since I am relying on Oracle Cloud to secure their datacenters to keep my CDE safe.
I hope that made sense!