PCI DSS Level 1 Service Provider Certification for UAE Payment Processors

Payment service providers - gateways, acquirers, processors, and switch operators - face the most stringent PCI DSS requirements of any entity in the payment ecosystem. As a Level 1 Service Provider, you undergo annual on-site QSA assessment, mandatory quarterly ASV scans, and annual penetration testing across your full service environment.

What PCI DSS Level 1 Service Provider Means

Any service provider that processes, stores, or transmits over 300,000 card transactions annually is classified as a PCI DSS Level 1 Service Provider. This includes:

• Payment gateways and e-commerce payment processors
• Acquiring processors and ISO 8583 switch operators
• Managed security service providers handling card data
• Cloud hosting providers that store cardholder data

Level 1 Service Provider requirements include:

• Annual ROC - on-site assessment by a QSA, producing a formal Report on Compliance
• Quarterly ASV scans - external vulnerability scans of all internet-facing CDE IP addresses
• Annual penetration test - internal and external, covering network and application layers
• Incident response plan - documented and tested, with card brand notification procedures

Card Brand Registration

UAE payment service providers that process Visa or Mastercard transactions must be registered on card brand compliance programs:

Visa: Registration on the Visa Global Registry of Service Providers requires a current ROC (or SAQ for lower-tier providers) and annual re-validation. Unregistered service providers risk their merchant customers being assessed non-compliance fines.

Mastercard: The Mastercard Compliant Service Provider List has equivalent requirements. Being removed from the list - for failing to re-validate - can trigger merchant contract issues and acquiring bank relationship reviews.

We manage the card brand registration process - including documentation preparation, submission coordination, and annual renewal tracking - as part of our Level 1 Service Provider engagement.

Scope Complexity for UAE PSPs

UAE payment service providers often operate complex, multi-tenant environments: shared infrastructure serving hundreds of merchants, integration with multiple acquiring banks, and connections to both international card scheme networks and UAE-local payment schemes (network).

Scoping a PSP environment correctly is critical. Incorrect scope - particularly for shared service environments - is the most common source of Level 1 audit findings. We conduct rigorous scoping workshops at the start of every PSP engagement to define defensible CDE boundaries across multi-tenant architectures.