Registration and PCI DSS Compliance

Registration

Who can register

Agent registration is required for all entities providing solicitation activities, managed services and/or storing, processing or transmitting Visa account numbers for Visa members (or on behalf of their merchants).

Benefits of Registration

Marketing Opportunity on a Global Scale

The Visa Global Registry of Service Providers contains information on service providers that are registered with Visa and have met Visa program requirements within Asia Pacific, Canada, Central Europe, Middle East, Africa, Latin America and the Caribbean, and the U.S. The registry contains service provider information such as company name, company website, corporate headquarter country, region(s) of operation, types of services offered and PCI DSS compliance validation date.

It serves as a platform where service providers can broadcast their compliance with Visa Inc. rules and any applicable PCI DSS requirements. This channel allows service providers to promote their services to potential clients worldwide and differentiate themselves from other service providers. Visa clients and merchants reference the registry to select registered and compliant service providers for outsourcing their payment-related services.

Third Party Agents that perform solicitation activities (ISO) or perform ATM support activities (ESO), without touching cardholder data, must be registered with Visa. Inclusion on the registry indicates only that the service provider successfully completed registration with Visa.

Proper Agent Control

Implementations of the Visa Global Registries have helped drive compliance with the Visa International Operating Regulations and the PCI DSS. The Registries have served as an incentive for TPAs to register with Visa and ensure that these agents do not increase the risk exposure to the payment system.

Early identification of entities and their respective financial institutions in compromise events have proven invaluable as Visa is able to engage appropriate parties and take action to contain incidents as quickly as possible. Additionally, Visa works hand in hand with members in developing policies and procedures that ensure appropriate controls are in place to adequately monitor the Third Party Agent relationships and protect the payment system.

Member’s Due Diligence

Visa issuers and acquirers remain responsible to perform due diligence prior to engaging any third party agent and ensure they have policies and procedures in place to provide the correct level of oversight and control of the agent regarding their Visa program.

If the third party agent is contracted by the acquirers’ merchant, the acquirer remains responsible to conduct the appropriate due diligence and ensure that the merchant and their agents comply with the relevant Visa and industry requirements.

Visa members must ensure that their third party agents that handle cardholder data are PCI DSS compliant and adhere to all Visa operating rules.

Registration Fee and Non-Registration Fines

The following fees are assessed to each client that registers Third Party Agents (TPAs):

  • $5,000 USD for initial registration and annual renewal for ISO, PSP, HRIPSP and DCV
  • $1,000 USD for initial registration and annual renewal for MS, ESO, TPS and DCC

Each Visa client that registers a third party agent is assessed an initial registration and annual renewal fee for that agent; based on the agent type registered. Fees are assessed up to $5,000 USD per client, per agent per region. There is no fee for ICPIA or CFS registration.

The fine for an unregistered agent starts at $10,000 per TPA.

For more information about the registration and PCI DSS compliance validation process, review TPA Registration Program FAQs (PDF | 183kb). For specific questions not covered in the FAQs, contact Visa via email at AgentRegistration@Visa.com for U.S. and Canada, or AgentRegistrationLAC@Visa.com for LAC.

Changes and Updates

In order to keep the TPA profiles current and accurate, registered TPAs are required to notify their financial institution(s) of any changes to any information such as changes in: Legal Name / Business Aliases; Mergers and Acquisitions; Legal location or additional business locations; Company Point of Contact; Types of services offered; Number of Visa transactions or accounts processed annually; Compliance status (where applicable); and Financial solvency. The financial institutions will update TPA information via the Visa Membership Management tool (VMM).

PCI DSS Compliance Requirements

Third Party Agents that store, process and/or transmit Visa cardholder account or transaction information are required to be in compliance with PCI DSS and third party agent levels are defined as follows:

1 TPA that stores, processes and/or transmits over 300,000 Visa transactions per year
2 TPA that stores, processes and/or transmits fewer than 300,000 Visa transactions per year

In addition to adhering to the PCI DSS, compliance validation is required for all third party agents.

1
  • Annual On-Site PCI Data Security Assessment
  • Quarterly Network Scan
  • Qualified Security Assessor
  • Approved Scanning Vendor
2
  • Annual PCI Self-Assessment Questionnaire
  • Quarterly Network Scan
  • Third Party Agent
  • Approved Scanning Vendor

Effective March 1, 2011, Visa will only require submission of an executed Attestation of Compliance (AOC) Form to demonstrate PCI DSS compliance as a Level 1 third party agent. Level 2 third party agents will submit version D of the Self-Assessment Questionnaire (SAQ-D). * Visa will not review the contents of the SAQ-D as issuers and acquirers are responsible for reviewing the accuracy of the SAQ-D.

All materials must be sent securely via PGP encryption to pcirocs@visa.com. If PGP is not available, please contact Visa at pcirocs@visa.com to discuss an alternative submission method. Qualified Security Assessors (QSAs) must submit only fully executed Attestation of Compliance forms, properly signed by the QSA and the third party agent confirming compliance with the PCI DSS. Visa reserves the right to require submission of a third party agent’s complete Report on Compliance (ROC).

All third party agents must be PCI compliant prior to beginning services in which they would have access to cardholder data.

For more information on PCI DSS, go to PCI Security Standards Council Site

Download the PCI Data Security Standard

Download the Attestation of Compliance for Onsite Assessments – Service Providers

Download the list of Approved Scanning Vendors

Download the list of Approved QSA Companies

Annual Renewal

Third Party Agents that store, process or transmit Visa account must perform the compliance review on an annual basis. The fine for non-compliance starts at 50,000 USD per TPA. For those required to be PCI DSS compliant, if Visa did not receive the renewal documents:

Within 1 – 60 days upon expiry of the compliance documents, the third party agent will be highlighted in Yellow on the Registry.

Within 61 – 90 days upon expiry of the compliance documents, the third party agent will be highlighted in Red on the Registry.

After 90 days, the third party agent will be removed from the Registry.

Please note that Visa reserves the rights to remove any third party agent from the Registry at its own discretion.

For more information about the registration and PCI DSS compliance validation process, review TPA Registration Program FAQs (PDF | 180kb). For specific questions not covered in the FAQs, contact Visa via email at AgentRegistration@Visa.com.



Back to Home

Related Information