Which statement is true about service providers in PCI context?

• A. Data Center hosting providers are service providers.
• B. Telecommunications providers that only provide communication links are not service providers.
• C. Payment gateways are not service providers.
• D. ISOs are not service providers.

Answer: (A)

In PCI terms, a service provider is any entity that stores, processes, or transmits cardholder data on behalf of a merchant, or that could affect the security of that data. Data center hosting providers clearly fit this, because they host the systems that store or process cardholder data and have the ability to influence security through their controls and access. That’s why this statement is true. The other options misstate the scope: payment gateways and ISOs are typically considered service providers because they handle or influence CHD security, and telecommunications providers can affect security as well, so saying they are not service providers isn’t universally correct.