Merchant or Service Provider, Understanding Your Role Under PCI DSS

WANT TO CONTINUE READING?

If you are interested in this topic let us know! Fill out the form below and we will provide you the access to this entry for free!

    The Key Question: Merchant or Service Provider?

    One of the most common areas of confusion under PCI DSS is whether an organisation is classified as a merchant or a service provider. While the terms are often used interchangeably in practice, PCI DSS assigns them very specific meanings, and this distinction is fundamental to understanding compliance obligations.

    Before examining the definitions in detail, it is important to understand why classification matters. Whether an organisation is considered a merchant, a service provider, or both directly affects scope, applicable requirements, validation approach, and the evidence expected as part of PCI DSS compliance.

    Merchant

    Under PCI DSS, a merchant is any organisation that accepts payment cards—whether American Express, Discover, JCB, MasterCard or Visa—as payment for goods or services. If you take card payments online, in person or over the phone, you fall into this category.

    A merchant may also be considered a service provider if it offers services that store, process or transmit cardholder data on behalf of others.

    Example: An internet service provider (ISP) that accepts card payments for monthly subscriptions is a merchant. If that same ISP also hosts ecommerce websites that process cardholder data, it takes on the role of a service provider as well.

    Service Provider

    A service provider is any entity (excluding the card brands themselves) that processes, stores or transmits cardholder data (CHD) or sensitive authentication data (SAD) on behalf of another organisation. It also includes companies that might not handle card data directly but provide services that could affect the security of that data. This makes the definition broad by design.

    Common examples include:

    • Payment gateways – Platforms that route and authorise transactions
      Examples: Stripe, Adyen, PayPal, Worldpay

    • Payment service providers (PSPs) – End-to-end payment solutions for merchants
      Examples: Square, Braintree, Checkout.com

    • Independent sales organisations (ISOs) – Third parties managing merchant accounts for acquirers
      Examples: Fiserv, TSYS, Elavon

    • Card issuers – Banks that issue cards to consumers
      Examples: Capital One, Chase, Barclays, American Express

    • Cloud hosting platforms – Providers hosting infrastructure or data environments
      Examples: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP)

    • Data centre operators – Facilities managing physical infrastructure and interconnectivity
      Examples: Equinix, Digital Realty, IBM Cloud Data Centres

    • Managed service providers (MSPs) – Businesses offering outsourced IT and security services
      Examples: Rackspace, Accenture Managed Security Services, Tata Communications

    • Security vendors – Providers of threat detection, fraud tools or tokenisation services
      Examples: Palo Alto Networks, Fortinet, RSA Security, Cloudflare, Sift

    • Banks and financial institutions – Organisations that process or handle card data
      Examples: HSBC, Citi, Wells Fargo, Lloyds Banking Group

    • Third-party call centres – Outsourced teams managing customer interactions, including payments
      Examples: Teleperformance, Concentrix, TTEC

    If your services touch or influence an environment where cardholder data exists—even indirectly—you likely fall under the service provider classification.

    Why Classification Matters

    Understanding whether you are a merchant or service provider is more than a terminology exercise—it directly shapes your PCI DSS compliance journey. Service providers are held to a more extensive set of requirements, and misclassifying your organisation can create exposure, audit delays or incomplete compliance.

    It also determines the correct Attestation of Compliance (AOC) form. Merchants and service providers use different AOCs, and submitting the wrong one can cause unnecessary rework or complications with acquiring banks or partners.

    If you’re unsure where your organisation fits, we’re here to help. Get in touch with Locked Stack, and one of our PCI DSS specialists will work with you to clarify your classification and guide you through the right compliance pathway.

    Back to knowledge page