Secure Payments, PCI DSS, Regulatory Compliance Blog

Gateway vs. Service Provider

July 23rd, 2006 by datasecurity Posted in Merchant, PCI DSS, Service Provider

Many people get confused about the difference between merchants, service providers, gateways, and data storage entities. The card associations generally break down non-issuing/acquiring/processing entities into: Merchant or Service Provider.

A Merchant is defined as a location or store where purchases are made. The merchant is responsible for the security of the credit card information regardless of who they pass off the information to, such as a service provider. (Of course, the Acquirer is responsible for the merchant so liability actually hits the acquirer but any fines are passed transitively to the merchant anyway.)

A Service Provider is defined as an entity that handles credit card information on behalf of a merchant, acquirer, issuer, processor, or other service provider.

Level 1 Service Provider examples:

  • Gateways
  • VisaNet Processors (member and non-member)
  • Data Storage Entity (DSE) - (more than 6 million MasterCard or Visa transactions regardless of acceptance channel)

Level 2 and 3 Service Provider examples:

  • Data Storage Entity (DSE) - (more than 150,000 and less than 6,000,000 electronic commerce transactions)
  • Third-Party Servicer (TPS)
  • Independent Sales Organizations (ISO)
  • Merchant vendor
  • Web hosting company or shopping cart
  • Media back-up company
  • Loyalty program vendor
  • Risk management vendor
  • Chargeback vendor
  • Credit bureau
  • Other (the list is long…)

The term Service Provider is a Visa word while MasterCard prefers the term DSE.

A Gateway is a special type of service provider. Although there are many definitions of a payment gateway (Wiki), the best one is here:

Payment gateways are a category of agent or service provider that stores, processes, and/or transmits cardholder data as part of a payment transaction. Specifically, they enable payment transactions (e.g., authorization or settlement) between merchants and processors (VisaNet endpoints). Merchants may send their payment transactions directly to an endpoint, or indirectly to a payment gateway.

Example of gateways include:

  • Internet Payment Service Provider (IPSP)

Global Payments has some great definitions for these terms, which are all different forms of service providers:

  • Data Storage Entity (DSE), which include Gateways
  • Merchant Servicer
  • Third Party Servicer (TPS)
  • Third Party Processor (TPP)
  • VisaNet Processor

(Many of these definitions and more can be found in the MasterCard Merchant Rules Manual [PDF], MasterCard Member Service Provider Rules Manual [PDF], Visa Merchant Glossary of Terms, and Rules for Visa Merchants [PDF].)

Also, check out: Visa USA Cardholder Information Security Program (CISP) Overview: Compliance and Validation [PDF]

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 16 Responses to “Gateway vs. Service Provider”

  2. By Rudolf Goetz on Nov 17, 2006

    We are a small startup company wanting to engage in internet sales of our product. We have arranged for a webhosting account with “Lunarpages” where our internet server and access point will be located. We also have engaged a developer to design and code up our website to be hosted at Lunarpages (this is work currently in progress). And third, we have opened an account with a merchant services company where we plan to conduct all credit card/financial processing. This will be linked to the server at Lunarpages.
    Recently, the merchant account folks have asked us if the other elements of our implementation are PCI compliant.
    Our website developer seems to not know the answer and sent me your self assessment questionnaire.
    I attempted to fill this out but it is riddled with confusing terms only a member of your organization would understand.
    I need considerable help to fill out the questionnaire.
    Can you please assist?
    Thank you.
    Sincerely,
    Rudy Goetz

  3. By datasecurity on Nov 22, 2006

    If the only method you use to accept credit card transactions are via the “merchant services company” (i.e. you have no brick-mortar operations) and they accept all credit card orders then you have nothing to worry about from a compliance perspective. Under this scenario you have outsourced all credit card processing (assuming they use their own merchant ID and not yours.)

    Lots of assumptions there. If you have any other methods of accepting credit cards (i.e. point-of-sale stations, paper receipts) or if you accept transactions and then pass them along to the “merchant service provider” then you may have other compliance obligations.

  4. By Jessica on Dec 4, 2006

    If we have a website that is integrated to PcCharge Payment Server (which the website AND Payment server is hosted at a dedicated server and managed by a hosting company) is the hosting company now considered a Service Provider, Payment Gateway, both or neither?

  5. By Marco Mabante on Dec 5, 2006

    Darn good question Jessica. I happen to be attending a Visa security conference tomorrow and I will ask the question. I hope that your hosting company has placed PCCharge on a separate server that is not facing the internet. I will let you know what I find out.

    Marco Mabante
    VeriFone

  6. By datasecurity on Dec 5, 2006

    Jessica,

    If the hosting company hosts your website and payment software on a dedicated server then the hosting company only needs to make sure that the cardholder data environment is PCI compliant. (And there are special PCI DSS requirements that apply just to hosting environments.)

    You would also need to verify that your payment application was on the list of validated payment applications. I see that as of now, PCCharge v 5.7.x is compliant.

    It’s a very good thing that it is a dedicated server and not a shared-hosting environment. The hosting company is a service provider but not a gateway, unless they offer the payment software for multiple merchants. Remember, the hosting company is just giving you rack space and “pipe” (bandwidth). I would double check that the Merchant ID used to process transactions is yours and not that of your hosting provider — if it is theirs they could be moved into the “gateway” category, but this would be rare considering the environment you described.

  7. By Jessica on Dec 8, 2006

    Thanks everyone! These regulations can be confusing at times! I will check with the provider about having PcCharge on a separate server not facing the Internet!

  8. By Tony Arcabascio on Oct 25, 2007

    We are a DR site for a retail company and we are managing their systems and backup data. Do we need to be PCI Compliant and to what extent?

  9. By Shan on Feb 25, 2008

    We build custom web pages for our customers with a re-direct link to processors like “Choice Pay”; they are a visa certified provider, all the credit card information is key/stored by Choice Pay. We only recieve confirmation of payment back to post to customer statements. Are we considered a service provider or a payment gateway? Thanks

  10. By Michael Dahn on Feb 26, 2008

    @Shan, you are neither, though you are most likely a merchant. Choice Pay is a payment gateway (a type of service provider). I would work with them on (1) validating their compliance and (2) validating that you do not have access to cardholder data in any form.

  11. By Shan on Feb 27, 2008

    Michael, thank you. In the obj. calls for the web pages, we use our clients merchant id and pass the information along with the customer information to the processor all realtime & cannot be recalled. We do have access to CHD from an IVR at a call center level for QA should the customer experience issues with the webpage transaction. After reading more information, I believe we might be considered by definition IPSP. Additionally, based on our customers volume, we would be a level 3. Every time I read more, its seem more grey and confusing.

  12. By Michael Dahn on Feb 27, 2008

    @Shan, I think this discussion was raised in the forum and that’s a better place to have it.
    http://forum.aegenis.com/

  13. By Chris Haney on Sep 14, 2009

    We will be doing some processing of ecommerce transactions with various Mastercard member banks for their merchants - and are trying to figure out whether we are a TPP or DSE (given our very low volumes this makes a big difference in audit requirements). MasterCard defines DSE as any MSP that is not a TPP or ISO - however the definition of TPP is very loose. Any thoughts on what would make us for MasterCard a DSE vs. a TPP?

  14. By cmark on Sep 14, 2009

    I used to work at MC and was responsible for TPP compliance.

    If you process MC transactions on behalf of another MC client (bank) then you are a TPP. TPP has no volume requirements..you will be a level 1 and require a QSA. DSE is a 300K volume threshold. If you are contracting with a client (member bank) and are actually processing transactions (not passing through like a gateway) then you are likely a TPP.

  15. By Chris Haney on Sep 14, 2009

    cmark - thank you for a very clear explanation. A clarification - we will not be processing transactions in the sense of authorizing, etc. - but rather passing through those transactions to the acquiring banks only - where they will get processed. Does this change the definition? On what aspects does the difference between TPP and DSE hinge?

  1. 2 Trackback(s)

  2. Nov 7, 2006: What if a Merchant outsources transaction processing to a Service Provider? « PCI and Data Security Compliance
  3. Feb 16, 2007: Management and Hosting Company at PCI and Data Security Compliance

Sorry, comments for this entry are closed at this time.