Having a poke around recently, it became apparent that there was no clear definition as to what a DSE or a TPP actually ‘is'.
Some QSAs have assumed that Third Party Processor (TPP) in effect means ANY payment/transaction service provider and have incorrectly classed entities that service
To clarify what a TPP actually is – it's an entity that performs MasterCard transaction and processing Program Services for Members, for example POI Terminal Operation, authorization routing, electronic data capture, clearing file preparation, submission, settlement, statement preparation and chargeback processing. In simpler terms, what we all know as an Acquiring Bank (or anyone that connects directly to MasterCard's payment networks to provide Program Services).
..and a Data Storage Entity (DSE) is an entity that stores, processes or transmits transactions on behalf of a Member, Merchant or Member Service Provider (MSP). For example a Web hosting company, payment gateway, terminal drivers (whatever they are) and processors.
What makes the distinction important is that MasterCard classify ALL TPPs as a Level 1 Service Provider (thus needing a QSA onsite audit), whereas DSEs that process
Another common mistake that QSAs seem to be making is taking aggregates of all Visa, MasterCard and Amex transactions and using this as the ‘tpa' for each card scheme. This is wrong. MasterCard's 300,000 limit refers to 300,000 MasterCards. Visa's limit to Visa cards.
However, Amex, JCB and Discover do not have a level one or a level two. So no matter how many of these cards are processed, full onsite validation is required by a QSA for any organisation that provides any service relating to these cards for merchants.
Service providers that process small transaction volumes should seriously consider the associated audit costs if they are to take Amex, JCB or Discover transactions.
I'm sort of hoping that the card schemes glue together some kind of unified approach and it would make the world a whole lot simpler if we just followed Visa's model.
Even so, the 300,000 boundary between Level 1 and Level 2 can pose a serious risk if service providers fail to understand what PCI DSS is about, just tick all the boxes and send in a self assessment. MILLIONS of cards could be at risk as these volumes, over the years, soon add up and as Visa's trigger for forensic involvement is around 1,000 potentially compromised cards, then no matter what level of transactions a service provider may process, there is a hidden risk that must be seriously considered.