A PCI compliance service provider is a certified third party that handles card data on behalf of merchants — typically the parts of the payment flow that touch cardholder data directly — so that the merchant's own systems stay out of PCI DSS scope.
The economics matter. PCI DSS compliance for a merchant who handles card data themselves means full SAQ D (the most extensive self-assessment questionnaire), annual penetration testing, network segmentation, encryption key management, and ongoing audit overhead. For a mid-sized merchant, that's typically £50,000-£250,000 a year in compliance cost, before counting the operational burden on engineering and security teams.
Using a PCI Level 1 Service Provider for the part of the flow that touches card data — checkout, voice capture, vault, gateway routing — drops merchant scope dramatically. SAQ A (a one-page questionnaire) becomes possible. Penetration testing requirements relax. Engineering teams stop worrying about HSM key rotation and tokenisation algorithms. The service provider's annual audit by a Qualified Security Assessor (QSA) does the heavy lifting on behalf of every merchant using their environment.
This guide covers what a PCI compliance service provider actually is, the four service provider levels, how PCI service provider compliance differs from merchant compliance, what Level 1 specifically requires, and how to evaluate a provider for your use case.
What Is a PCI Compliance Service Provider?
PCI DSS recognises two primary categories of entity: merchants (businesses that accept card payments for their own goods and services) and service providers (companies that store, process, or transmit cardholder data on behalf of merchants — or that could affect the security of cardholder data).
A PCI compliance service provider sits in the second category. Examples include:
Payment gateways — Stripe, Adyen, Checkout.com, Worldpay, Authorize.Net
Payment processors — the entities that route transactions to card networks
Acquirers — banks that hold the merchant account and have direct card scheme membership
Tokenisation / vault providers — companies that store card credentials and return tokens
**Voice payment providers** — companies handling DTMF capture and voice payments
Hosted checkout providers — platforms that run the card entry form on your behalf
PCI scope reduction providers — services that intercept card data before it reaches your environment
Every one of these categories includes Level 1 service providers. Each subset of the payment flow can — in principle — be outsourced to one. The merchant's PCI obligation shrinks to the parts of the flow they still touch directly.
The Four PCI Service Provider Levels
Service provider levels are determined by transaction volume processed annually. The card schemes (Visa and Mastercard, primarily) define the thresholds; PCI DSS itself doesn't, but in practice the requirements scale with the level.
Level 1: Service Providers processing 300,000+ card transactions per year
The highest tier. Required for any third-party service provider handling card data at meaningful scale. Compliance demands:
Annual on-site audit by a Qualified Security Assessor (QSA) — not a self-assessment. The QSA produces a Report on Compliance (ROC).
Quarterly network scans by an Approved Scanning Vendor (ASV) — external vulnerability scans of the cardholder data environment.
Annual penetration testing — both network-layer and application-layer.
Attestation of Compliance (AOC) on file — published or made available on request to merchants and partners.
Level 1 is the bar for any service provider you're trusting to give you scope reduction at audit. Merchants integrating with non-Level-1 service providers cannot claim the same scope-reduction benefits — and in some cases, regulators will treat the merchant as if they handled the card data themselves.
Level 2: Service Providers processing fewer than 300,000 transactions per year
May complete a Self-Assessment Questionnaire (SAQ) of the appropriate type — typically SAQ D for Service Providers — instead of a full QSA audit. Same control requirements as Level 1, but the merchant attests rather than an independent assessor.
In practice, most enterprise merchants and platforms require Level 1 from their service providers regardless of the provider's transaction volume. Level 2 is rare for serious payment infrastructure vendors.
Level 3 and Level 4
These levels exist for very small service providers, often individual independent sales organisations (ISOs) or small regional players. Most modern payment infrastructure providers operate at Level 1.
Merchant PCI Compliance vs Service Provider PCI Compliance
The two compliance regimes look similar but have different scopes, audit requirements, and consequences.
Merchant Compliance | Service Provider Compliance | |
|---|---|---|
Who needs it | Any business accepting card payments | Any third party handling card data on behalf of merchants |
Levels | 4 levels (Level 1 = 6M+ transactions/year) | 2 main levels (Level 1 = 300K+ transactions/year) |
Validation | SAQ (self-assessment) for most levels; ROC for Level 1 | ROC for Level 1; SAQ-D-SP for Level 2 |
Audit | Annual QSA audit only at Level 1 | Annual QSA audit at Level 1 (mandatory) |
Pen testing | Annual at Level 1; situational at lower levels | Annual + after major changes |
AOC | Generated for merchants | Required to be available to merchant customers |
The thresholds are different (300K transactions for service providers vs. 6M for merchants) because the blast radius of a service provider breach is different — a single breach can compromise thousands of merchants. The bar is correspondingly higher.
What PCI DSS Level 1 Service Provider Status Actually Means
When a service provider claims to be "PCI DSS Level 1", these are the concrete things it should mean:
They have a current AOC — an Attestation of Compliance signed by a QSA within the last 12 months. Ask to see it.
They have a current ROC — the Report on Compliance produced by their QSA. Usually held by the QSA and not shared in full, but the AOC is the proof of the ROC's existence.
They run quarterly ASV scans — external vulnerability scans of their cardholder data environment by an Approved Scanning Vendor.
They run annual pen tests — by a qualified pen testing firm, on both network and application layers.
Their cardholder data environment is segmented — physically and logically separated from non-cardholder systems, with controlled boundary devices.
They run a continuous monitoring programme — file integrity monitoring, intrusion detection, log review, on the cardholder data environment.
A claim of "PCI Level 1" without a current AOC isn't a claim, it's marketing language. The AOC is the only document that proves the audit happened and passed. It's also the document that lets your QSA confirm the service provider's compliance during your own audit.
How a PCI Service Provider Reduces Merchant Scope
Scope reduction is the entire reason merchants use PCI service providers. Done right, it transforms the merchant's compliance burden from "build and maintain a fully-segmented cardholder data environment" to "configure your integration with a certified provider and document the boundary."
The mechanism: the parts of the payment flow that touch cardholder data — entry, transmission, storage — happen inside the service provider's certified environment, not the merchant's. The merchant's systems receive only tokens, references, or non-sensitive metadata.
Concretely:
Hosted checkout / payment page hosted by the service provider → merchant qualifies for SAQ A (the lightest SAQ, ~22 questions). All card data entry happens on the service provider's domain via redirect or iframe.
Hosted fields / iframe inside merchant's checkout → merchant typically qualifies for SAQ A-EP. The card fields are loaded from the service provider, but the merchant's site contains the rest of the checkout. Some integration controls apply (subresource integrity, CSP, etc).
Server-side card capture by the merchant, with tokenisation by the service provider → merchant qualifies for SAQ D-MERCHANT. Card data passes through the merchant's servers (briefly) before being exchanged for a token. Most demanding scope.
**DTMF interception by the service provider for voice payments → merchant qualifies for SAQ A** for the voice channel. Tones never enter the merchant's contact centre environment.
**White-label payment links on the merchant's domain → merchant qualifies for SAQ A** because the actual card capture page is the service provider's, even though the URL is on the merchant's domain.
The pattern: every step you outsource to a Level 1 service provider's certified environment is a step you don't have to certify yourself. Pick service providers that take responsibility for the highest-scope parts of the flow.
Types of PCI Compliance Service Providers
The market segments into several distinct provider types, each owning a different part of the flow.
Payment Gateways
The original PCI service providers. Handle authorisation, transmission to the acquirer, settlement reconciliation. Examples: Stripe, Adyen, Checkout.com, Worldpay, Braintree, Authorize.Net. All operate at Level 1.
Payment Processors and Acquirers
Banks and bank-adjacent entities that hold the merchant account and route transactions to card networks. Examples: Chase Merchant Services, FIS / Worldpay (acquiring side), Wells Fargo Merchant Services, Barclaycard. All Level 1.
Tokenisation / Vault Providers
Specialised in storing card credentials and returning tokens for repeat use. Examples: Spreedly, Basis Theory, VGS (Very Good Security), TokenEx. Used when merchants want to maintain PSP optionality without holding card data themselves.
Hosted Checkout / Payment Page Providers
Run the actual card-entry page on their domain so merchants can claim SAQ A. Examples: Stripe Checkout, PayPal Checkout, Adyen Hosted Checkout, Braintree Drop-in.
Voice Payment / DTMF Service Providers
Specialised in voice payments and DTMF capture for contact centres. Examples: PCI Pal, Sycurio (formerly Semafone), Eckoh, Shuttle Voice Checkout. All operate at Level 1 to provide scope-reduction value.
Payment Links / Pay-by-Link Providers
Provide hosted checkout pages accessed via URL — ideal for invoice payments, SMS-led flows, social commerce. Examples: Stripe Payment Links, Shuttle Payment Links, Square Payment Links, GoCardless Pay-Now.
Payment Orchestrators / Multi-PSP Routers
Sit between the merchant and multiple gateways, handling smart routing and scope reduction. Examples: Gr4vy, Spreedly, Primer, Shuttle. Most operate at Level 1; verify before assuming.
Industry-specific PCI Service Providers
Some service providers specialise by vertical — healthcare (HIPAA + PCI), legal trust accounts, government, hospitality. The vertical specialisation is usually layered on top of standard Level 1 PCI compliance.
How to Evaluate a PCI Compliance Service Provider
Six questions cut through the marketing noise.
1. Show me the current AOC. Not the marketing page that says "PCI Level 1 certified". The AOC, dated within the last 12 months, signed by a QSA. If they can't or won't share it under NDA, walk away.
2. Which version of PCI DSS are you certified under? PCI DSS 4.0 is the current standard (replacing 3.2.1 fully by 31 March 2025). A current AOC will be against 4.0. Older AOCs against 3.2.1 are obsolete.
3. What's your cardholder data environment, and what stays out of it? A serious service provider has clear answers about CDE boundaries and what's logically segmented. If the answer is hand-wavy, they don't know — which means their next audit might surprise them.
4. What scope reduction do you actually give my merchants? Different integration patterns = different SAQ outcomes. Ask: "If I use your hosted checkout, what SAQ do I qualify for?" The answer should be SAQ A (or A-EP if there's iframe / partial integration). If they're vague, the scope reduction may not actually exist.
**5. How do you handle cardholder data — and do you store it?** Some providers vault. Some don't. Both are valid models, but you need to know which you're getting. If they vault, ask about the encryption model, key management (HSM-backed?), and breach response. If they don't vault — like Shuttle — clarify what they tokenise and where the actual card credential lives (typically the gateway).
6. What happens at *your* audit, and what's the breach process for *my* customers? The AOC is annual. Between audits, things change. Ask about continuous monitoring, change-control process, and the exact breach notification path that affects you as a customer (not just the regulator-facing path).
What "PCI Compliance as a Service" Means
"PCI Compliance as a Service" (sometimes "PCIaaS") is a framing rather than a defined product category. It usually describes one of three things:
1. Outsourced compliance management. Consultancies that manage your QSA relationship, run your scans, advise on remediation. You're still the entity being audited.
2. Bundled service provider offerings. A vendor that provides multiple Level 1 service provider services (gateway + vault + checkout + voice) under one AOC, simplifying the integration and audit story.
3. Turn-key compliance reduction platforms. Pre-integrated stacks designed to drop a merchant straight to SAQ A — typically a hosted checkout + tokenisation + reporting bundle.
All three are legitimate. None of them remove your PCI obligation entirely; they just shift the heaviest parts to specialists. Treat any vendor claiming "we make you PCI compliant" with appropriate scepticism — your obligation as a merchant doesn't disappear, it just gets smaller.
Industry-Specific Considerations
Some industries layer additional requirements on top of standard PCI Level 1.
Healthcare — HIPAA on top of PCI; service providers handling both must hold both certifications. Examples: dedicated healthcare payment processors and platforms.
Government — FedRAMP for US federal, IL4/5 for some agencies. Layered on top of Level 1.
Legal / trust accounts — bar-association rules, often state-specific, alongside PCI.
**Hospitality** — restaurant / hotel-specific scope considerations around tipping, gratuity, room charges. See restaurant PCI compliance.
**Voice / contact centre** — DTMF-specific controls and recording obligations. Layered on top of Level 1; see DTMF payments.
**Insurance and financial services** — typically layered with FCA / PRA requirements in the UK, state insurance regulator requirements in the US. See PCI payments for insurance platforms.
Shuttle as a PCI Compliance Service Provider
Shuttle is a PCI DSS Level 1 Service Provider. The certification is renewed annually by an external QSA, with quarterly ASV scans and annual penetration testing. The Attestation of Compliance is available to customers and partners.
Three architectural choices distinguish Shuttle's PCI posture from the typical service provider model.
No card vault. Shuttle does not store card data. Tokenisation is handled by the underlying payment gateway — Shuttle hands the gateway's token back to the merchant for repeat use, but never holds the card credential itself. This keeps Shuttle's blast radius small and keeps merchants from having to trust Shuttle as a card storage vendor in addition to a transaction router.
Gateway-agnostic. Shuttle integrates with 40+ payment gateways and processors. The PCI scope reduction doesn't depend on a specific PSP — merchants and platforms can route via any supported processor while keeping the same SAQ A outcome.
**Multi-channel coverage under one AOC.** Voice (DTMF capture), payment links, embedded checkout, and orchestration all sit inside the same Level 1 environment. Merchants integrating across channels deal with one service provider, one AOC, one scope-reduction story.
Shuttle also holds **SOC 2 Type II** and **ISO 27001** certifications, with all data stored in Europe and full GDPR coverage. ICO registration: ZB059255. Full architectural documentation at docs.shuttleglobal.com.
Frequently Asked Questions
What is a PCI compliance service provider? A PCI compliance service provider is a third party certified to handle cardholder data on behalf of merchants. They take on the most demanding parts of PCI compliance — card capture, transmission, storage — so the merchant's own systems can stay out of PCI scope.
What does PCI DSS Level 1 mean? PCI DSS Level 1 is the highest tier of compliance. For service providers, it requires processing 300,000+ card transactions per year, an annual on-site audit by a Qualified Security Assessor, quarterly external vulnerability scans, annual penetration testing, and an Attestation of Compliance signed by the QSA.
What's the difference between a Level 1 merchant and a Level 1 service provider? The thresholds are different (6M+ annual transactions for Level 1 merchant; 300K+ for Level 1 service provider) and the audit obligations differ. Service providers are audited because a single breach affects all their merchants; the bar is correspondingly higher.
Can a service provider make my business PCI compliant? A service provider can dramatically reduce your PCI scope, but they cannot remove your obligation entirely. As a merchant, you still need to complete an SAQ (typically SAQ A if you've outsourced everything sensitive) and meet the controls that apply to your remaining environment.
How do I verify a PCI service provider's compliance? Ask for their current Attestation of Compliance (AOC), dated within the last 12 months and signed by a QSA. The AOC is the only document that proves the audit happened. Marketing claims of "PCI Level 1" without an AOC are not verifiable.
What is "PCI compliance as a service"? "PCI compliance as a service" usually means either (1) outsourced compliance management by a consultancy, (2) bundled service provider offerings under one AOC, or (3) a turn-key platform that drops merchants straight to SAQ A. All three exist; none of them eliminate the merchant's PCI obligation — they just minimise it.
**Do payment links require PCI compliance?** Yes. Any system handling cardholder data — including payment link hosted checkout pages — needs PCI DSS coverage. Using a Level 1 service provider for the payment link's checkout drops the merchant to SAQ A.