SAQ D TPSP Service Providers are third-party service providers (TPSPs) that handle cardholder data on behalf of merchants or other service providers and are required to comply with SAQ D. TPSPs are defined as business entities not being payment brands, directly involved in processing, storage, or transmission of cardholder data.
- Eligibility Criteria: These providers include a broad range, such as hosting providers, payment gateways, or security service providers, as long as they handle cardholder data. They must be eligible for SAQ D, typically Level 2 service providers processing less than certain transaction thresholds (e.g., less than 300,000 Visa transactions annually).
- Compliance Requirements: Like SAQ D Merchants, they must meet all PCI DSS requirements, with version 4 adding detailed reporting and diagrams of their environment. This includes securing networks, protecting data, and conducting regular assessments, with a focus on managing third-party relationships.
- Practical Implications: TPSPs have a significant responsibility, as their security impacts their clients’ compliance. They must provide AoCs to merchants, ensuring transparency and shared accountability.
Comparative Analysis
To illustrate the differences and similarities, consider the following table comparing key aspects, including the applicability of requirements 6.4.3 and 11.6.1:
