Merchant or Service Provider Understanding Your Role Under PCI DSS

One of the most common areas of confusion under PCI DSS is whether an organisation is classified as a merchant or a service provider. While the terms are often used interchangeably in practice, PCI DSS assigns them very specific meanings, and this distinction is fundamental to understanding compliance obligations.

Before examining the definitions in detail, it is important to understand why classification matters. Whether an organisation is considered a merchant, a service provider, or both directly affects scope, applicable requirements, validation approach, and the evidence expected as part of PCI DSS compliance…