Service Providers

Service Providers

New to the website is the Access Control Server (ACS), Approved Vendor Program (AVP) and PIN Security Assessor List. This security assessor list identifies individuals that have been approved by Visa to perform onsite security assessments for the identified program. Program participants must use this list to identify and engage with assessors directly for their onsite security reviews. Only security assessors on the list are authorized to perform onsite security reviews. For more information on approved SAs, contact your regional Visa program manager.

Compliance validation details for service providers

Both issuers and merchant banks must use, and are responsible for ensuring that their merchants use, service providers that are compliant with the PCI Data Security Standard (DSS). Although there may not be a direct contractual relationship between merchant service providers and merchant banks, Visa issuing and merchant banks are responsible for any liability that may occur as a result of non-compliance.

To locate a validated service provider, visit the Visa’s Global Registry of Service Providers.

Service provider registration

Service providers must be registered with Visa prior to inclusion on the Global Registry of Service Providers. For Third Party Agent registration requirements, please click here. For specific questions not covered in the FAQs, contact Visa via email at AgentRegistration@Visa.com.

Service providers are organizations that process, store, or transmit Visa cardholder account or transaction information on behalf of Visa clients, merchants, or other service providers. Service provider levels are defined as follows:

Service Provider Level Description
1 VisaNet processors or any service provider that stores, processes and/or transmits over 300,000 Visa transactions per year
2* Any service provider that stores, processes and/or transmits less than 300,000 Visa transactions per year

In addition to adhering to the PCI DSS, compliance validation is required for all service providers.

Level Validation Action Validated By
1
  • Annual On-Site PCI Data Security Assessment
  • Quarterly Network Scan
  • Qualified Security Assessor
  • Approved Scanning Vendor
2
  • Annual PCI Self-Assessment Questionnaire
  • Quarterly Network Scan
  • Service Provider
  • Approved Scanning Vendor

*Entities that wish to be on the Global Registry of Service Providers must validate as a Level 1 provider.

Validation procedures and documentation

PCI DSS compliance validation is required every 12 months for all Level 1 and Level 2 service providers. Validation requirements are listed below.

  1. Third Party Agents: Level 1 Service Providers not directly connected to Visa are required to submit an Attestation of Compliance (AOC), signed by both parties. Visa reserves the right to request the full Report on Compliance (ROC), and will do so on occasion to verify appropriate content. Level 2 Service Providers must submit a signed SAQ-D or an AOC including a Qualified Security Assessors (QSA) signature for revalidation.
  2. Visa Clients, VisaNet Processors and Visa Vendors: Client banks, processors directly connected to Visa, and vendors providing services to Visa must validate compliance by submitting the full (ROC) and the AOC signed by both parties. ROCs must be sent securely via PGP encryption. If PGP is not available, please contact Visa at pcirocs@visa.com to discuss an alternative submission method.

All materials must be sent to pcirocs@visa.com.

  • The Annual On-Site PCI Data Security Assessment must be completed for Level 1 providers. Level 1 service providers should engage a Qualified Security Assessor to complete the Report on Compliance.
  • The Attestation of Compliance for Onsite Assessments – Service Providers must be completed by all service providers validating compliance and their assessor and submitted to Visa. The Attestation of Compliance for Onsite Assessments – Service Providers can be found here.
  • The Quarterly Network Security Scan is an automated tool that checks systems for vulnerabilities. It conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the service provider. Level 1 and 2 service providers are responsible for ensuring that a quarterly network scan is performed on their Internet-facing perimeter systems by an Approved Scanning Vendor.

For More Information
To learn more about Visa's compliance programs, contact Visa via email at AskVisaUSA@Visa.com.

Annual Validation

Service Providers that store, process or transmit Visa cardholder data must demonstrate PCI DSS compliance and provide the compliance validation to Visa every 12 months. The fine for non-compliance starts at 50,000 USD per service provider (assessed to the registering Visa member).

For Level 1 service providers published on the Registry, if Visa does not receive the appropriate revalidation documents:

  • Within 1 – 60 days upon expiry of the validation documents, the entity will be highlighted in Yellow on the Registry.
  • Within 61 – 90 days upon expiry of the validation documents, the entity will be highlighted in Red on the Registry.
  • After 90 days, the entity will be removed from the Registry.

Please note that Visa reserves the rights to remove any third party agent from the Registry at its discretion.

For more information about the registration and PCI DSS compliance validation process, review TPA Registration Program FAQs (PDF | 180kb) or click here. For specific questions not covered in the FAQs, contact Visa via email at AgentRegistration@Visa.com.