Registration and PCI DSS Compliance
Who can Register
Only Visa clients can register third party agents with Visa. Agent registration is required for all entities providing solicitation activities, managed services and/or storing, processing or transmitting Visa account numbers for Visa members (or on behalf of their merchants).
Agent Benefits of Registration
Marketing Opportunity on a Global Scale
The Visa Global Registry of Service Providers contains information on service providers that are registered with Visa and have met Visa program requirements within Asia Pacific, Canada, Central Europe, Middle East, Africa, Latin America and the Caribbean, and the U.S. The registry contains service provider information such as company name, company website, corporate headquarter country, region(s) of operation, types of services offered and PCI DSS compliance validation date.
It serves as a platform where service providers can show their compliance with Visa Inc. rules and any applicable PCI DSS requirements. The registry allows service providers to promote their services to potential clients worldwide and differentiate themselves from other service providers.
Visa clients and merchants should reference the registry to select registered and compliant service providers for outsourcing their payment–related services.
Third Party Agents that perform solicitation activities (ISO) or perform ATM support activities (ESO), without touching cardholder data, must be registered with Visa. Inclusion on the registry indicates only that the service provider successfully completed registration with Visa.
Access to Visa Online
Agents that are registered by a Visa client, compliant with Visa program requirements and rules, and have demonstrated PCI DSS compliance validation may request access to Visa Online once registered and approve. Visa Online includes publications and documentation not accessible on the public Visa sites. Communication archive and Visa access other Visa program materials.
Invitation to Visa hosted events
Registered and approved agents receive invitation to Visa hosted events such as the biannual Visa Agent and Processor event, data security webinar meetings, and security summits.
Benefits of Merchant Servicer participation in MSSIP
Participating in the Merchant Servicer Self–Identification Program allows Visa to:
Confirm the Visa acquiring bank behind their merchant customers. If sufficient and accurate information is provided by the Merchant Servicer, Visa can determine their merchant's acquiring bank.
Facilitate registration by the Visa acquiring bank(s) Visa will provide each acquiring bank with the relevant Merchant Servicer information to complete the Merchant Servicer registration.
Accept the Service Provider Attestation of Compliance (AOC) or Self–Assessment Questionnaire–D (SAQ–D) for PCI DSS compliance validation. Visa will review and track the Merchant Servicer's AOC/SAQ–D and provide reminders as the AOC/SAQ–D renewal date approaches. Publish Merchant Servicers that have validated PCI DSS compliance validation via QSA and AOC submission will be published the Visa Global Registry of Service Providers.
Visa will publish the Merchant Servicer on the Visa Global Registry of Service Providers, upon Visa client registration approval, continued registration and annual PCI DSS re–validation through the MSSIP tool. Provide a registration confirmation letter to the Merchant Servicer directly (after acquiring bank registers the Merchant Servicer). When the acquiring bank registers the Merchant Servicer, Visa will provide a registration letter to the Merchant Servicer directly.
Merchant Servicers approved through MSSIP will receive direct communication from Visa on program changes, agent registration changes and PCI DSS updates and receive invitation to enroll to Visa Online and receive Visa communication and event invitations.
Proper Agent Control
Implementations of the Visa Global Registries have helped drive compliance with the Visa International Operating Regulations and the PCI DSS. The Registries have served as an incentive for TPAs to register with Visa and ensure that these agents do not increase the risk exposure to the payment system.
Early identification of entities and their respective financial institutions in compromise events have proven invaluable as Visa is able to engage appropriate parties and take action to contain incidents as quickly as possible. Additionally, Visa works hand in hand with members in developing policies and procedures that ensure appropriate controls are in place to adequately monitor the Third Party Agent relationships and protect the payment system.
Member’s Due Diligence
Visa issuers and acquirers remain responsible to perform due diligence prior to engaging any third party agent and ensure they have policies and procedures in place to provide the correct level of oversight and control of the agent regarding their Visa program.
If the third party agent is contracted by the acquirers’ merchant, the acquirer remains responsible to conduct the appropriate due diligence and ensure that the merchant and their agents comply with the relevant Visa and industry requirements.
Visa members must ensure that their third party agents that handle cardholder data are PCI DSS compliant and adhere to all Visa operating rules.
Registration Fee and Non-Registration Fines
The following fees are assessed to each client that registers Third Party Agents (TPAs):
- $5,000 USD for initial registration and annual renewal for ISO, PSP, HRIPSP and DCV
- $1,000 USD for initial registration and annual renewal for ESO, TPS and DCC
- Each Visa client that registers a third party agent is assessed an initial registration and annual renewal fee for that agent; based on the agent type registered. Fees are assessed up to $5,000 USD per client, per agent per region. There is no fee for ICPIA, MS or CFS registration.
- The fine for an unregistered agent starts at $10,000 per TPA.
For more information about the registration and PCI DSS compliance validation process, review TPA Registration Program FAQs (PDF | 203kb). For specific questions not covered in the FAQs, contact Visa via email at AgentRegistration@Visa.com for U.S. and Canada, or AgentRegistrationLAC@Visa.com for LAC.
Changes and Updates
In order to keep the TPA profiles current and accurate, registered TPAs are required to notify their financial institution(s) of any changes to any information such as changes in: Legal Name / Business Aliases; Mergers and Acquisitions; Legal location or additional business locations; Company Point of Contact; Types of services offered; Number of Visa transactions or accounts processed annually; Compliance status (where applicable); and Financial solvency. The financial institutions will update TPA information via the Visa Membership Management tool (VMM).
Merchant Servicer agents are also required to maintain current and accurate profiles. MS agents can submit the above changes to Visa through MSSIP and Visa will distribute to the registering acquirer for update in VMM.
PCI DSS Compliance Requirements
Third Party Agents that store, process and/or transmit Visa cardholder account or transaction information are required to be in compliance with PCI DSS and third party agent levels are defined as follows:
|1||TPA that stores, processes and/or transmits over 300,000 Visa transactions per year|
|2||TPA that stores, processes and/or transmits fewer than 300,000 Visa transactions per year|
In addition to adhering to the PCI DSS, compliance validation is required for all third party agents.
Visa will only require submission of an executed Attestation of Compliance (AOC) Form to demonstrate PCI DSS compliance as a Level 1 third party agent. Level 2 third party agents will submit version D of the Self-Assessment Questionnaire (SAQ-D). * Visa will not review the contents of the SAQ-D as issuers and acquirers are responsible for reviewing the accuracy of the SAQ-D.
Qualified Security Assessors (QSAs) must submit only fully executed Attestation of Compliance forms, properly signed by the QSA and the third party agent confirming compliance with the PCI DSS. Visa reserves the right to require submission of a third party agent’s complete Report on Compliance (ROC).
Merchant Servicer agents must submit PCI DSS compliance validation materials through the MSSIP (link to site).
All third party agents must be PCI compliant prior to beginning services in which they would have access to cardholder data.
For more information on PCI DSS, go to PCI Security Standards Council Site
Download the PCI Data Security Standard
Download the list of Approved Scanning Vendors
Download the list of Approved QSA Companies
Third Party Agents that store, process or transmit Visa account must perform the compliance review on an annual basis. The fine for non-compliance starts at $10,000 USD per TPA. For those required to be PCI DSS compliant, if Visa did not receive the renewal documents:
Within 1 – 60 days upon expiry of the compliance documents, the third party agent will be highlighted in Yellow on the Registry.
Within 61 – 90 days upon expiry of the compliance documents, the third party agent will be highlighted in Red on the Registry.
After 90 days, the third party agent will be removed from the Registry.
Please note that Visa reserves the rights to remove any third party agent from the Registry at its own discretion.
For more information about the registration and PCI DSS compliance validation process, review TPA Registration Program FAQs (PDF | 203kb). For specific questions not covered in the FAQs, contact Visa via email at AgentRegistration@Visa.com.
Back to Home