Service providers are organizations that process, store or transmit Visa cardholder data on behalf Visa customers, merchants and other service providers.
| Service Provider Level | Description |
| 1 | VisaNet processors or any service provider that stores, processes and/or transmits over 300,000 transactions per year. |
| 2* | Any service provider that stores, processes and/or transmits fewer than 300,000 transactions per year. |
Compliance validation requirements are directed to all service provider levels. This process requires use of a Qualified Security Assessor (QSA) and an Approved Scanning Vendor (ASV):
| Service Provider Level | Validation Action | Validated by | Due Date |
| 1 | Annual On-Site PCI Data Security Assessment | QSA | 12/31/2005 |
| Quarterly Network Security Scan | ASV | ||
| 2 | Annual PCI Data Security Questionnaire | Service provider | 12/31/2005 |
| Quarterly Network Security Scan | ASV |
Visa requires submission of an executed Attestation of Compliance Form and the "Executive Summary" section of the service provider's Report on Compliance (ROC) to demonstrate PCI-DSS compliance as a Level 1 service provider. Level 2 service providers will submit version D of the Self-Assessment Questionnaire (SAQ). All materials must be sent securely via PGP encryption to pcirocs@visa.com.
Service providers must validate their compliance by submitting the required documentation to Visa. Compliance validation takes place at the service provider's expense, as follows:
The Annual On-Site PCI Data Security Assessment must be completed by Level 1 service providers according to the PCI DSS Security Assessment Procedures. Level 1 service providers must engage a Qualified Security Assessor to complete the Report on Compliance. The PCI-DSS Security Assessment Procedures are to be used as the template for the Report on Compliance. Although Acquirers are responsible for the security of Visa cardholder data wherever it is resident, the scope of PCI-DSS compliance validation for Level 1 service providers is focused on any system(s) or system component(s) involved in processing, storing and/or transmitting Visa cardholder data, and any connected systems. The scope of PCI-DSS validation is described in the PCI DSS Security Assessment Procedures.
The Quarterly Network Security Scan is an automated tool that checks systems for vulnerabilities. It conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the service provider. Level 1 and 2 service providers are responsible for ensuring that a quarterly network scan is performed on their Internet-facing perimeter systems by an Approved Scanning Vendor.
A customer who uses a service provider or an Acquirer whose merchant uses a service provider that is not compliant with the AIS program should refer that service provider to this site for information on how to become compliant.