Service Providers

Compliance validation details for service providers

Both issuers and merchant banks must use, and are responsible for ensuring that their merchants use, service providers that are compliant with the PCI Data Security Standard (DSS). Although there may not be a direct contractual relationship between merchant service providers and merchant banks, Visa issuers and merchant banks are responsible for any liability that may occur as a result of non-compliance.

To locate a validated service provider, visit the Visa’s Global Registry of Service Providers.

Service provider registration

Service providers must be registered with Visa prior to inclusion on the list of PCI DSS-compliant service providers. For more information about the registration process, review TPA Registration Program FAQs. Additional information on the requirements for registering a Third Party Agent is available at www.visa.com/third-party-agent. For specific questions not covered in the FAQs, contact Visa via email at AgentRegistration@Visa.com.

Visa Introduces Corporate Franchise Servicer as a New Third Party Agent Category

A review of recent cardholder data breaches affecting franchise locations indicates that the breaches have originated and spread quickly among locations due to systems owned or managed by corporate franchise organizations including cases where the franchisor / shared network has no direct role in processing cardholder data i.e. inventory control networks, restaurant menu distribution networks, etc. Corporate Franchise Servicer entities operate in a number of merchant segments, including lodging and food service.

Accordingly, PCI DSS non-compliance of franchisors or other organizations performing aggregator or gateway functions may potentially expose acquirers to non-compliance penalties and increase potential liability in the event of a data compromise.

In an effort to address the increasing threat of data compromises that affect franchise businesses, effective June 16, 2010, Visa will extend the Third Party Agent Program to include a new category of agents, called “Corporate Franchise Servicers.” Corporate Franchise Servicers operate in a number of merchant segments, including food service and lodging.

The inclusion of Corporate Franchise Servicer agents in the Visa Third Party Agent Program will help ensure that Corporate Franchise Servicer agents protect card data by at a minimum complying with the Payment Card Industry Data Security Standards (PCI DSS).

It is important to note, the new CFS category will not increase requirements for franchisors already participating in validation programs such as, Visa's Payment Card Industry Compliance Acceleration Program (PCI CAP) or Service Provider Program. Please click here for more information.

Service provider levels defined

Service providers are organizations that process, store, or transmit Visa cardholder data on behalf of Visa clients, merchants, or other service providers. Service provider levels are defined as:

* Effective February 1, 2009, Level 2 service providers will no longer be listed on Visa’s Global Registry of Service Providers. Entities that wish to be on the Global Registry of Service Providers must validate as a Level 1 provider.

Compliance validation basics

In addition to adhering to the PCI DSS, compliance validation is required for all service providers.

Validation procedures and documentation

Effective February 1, 2009, Visa will only require submission of an executed Attestation of Compliance Form and the “Executive Summary” section of the service provider’s Report on Compliance (ROC) to demonstrate PCI DSS compliance as a Level 1 service provider. Level 2 service providers will submit version D of the Self-Assessment Questionnaire (SAQ).

All materials must be sent securely via PGP encryption to pcirocs@visa.com. If PGP is not available, please contact Visa at pcirocs@visa.com to discuss an alternative submission method. Qualified Security Assessors (QSAs) must submit only fully executed Attestation of Compliance forms, properly signed by the QSA and the service provider confirming compliance with the PCI DSS. The ROC Executive Summary must clearly state the scope of the service provider’s PCI DSS assessment. Visa reserves the right to require submission of a service provider’s complete ROC.

The global service provider levels and new PCI DSS compliance validation submission process will go into effect on February 1, 2009. U.S. service providers that validate PCI DSS compliance and submit their required PCI DSS compliance validation documentation to Visa prior to February 1, 2009, will be accepted under previous service provider levels and submission process.

• The Annual On-Site PCI Data Security Assessment must be completed for Level 1 providers. Level 1 service providers should engage a Qualified Security Assessor to complete the Report on Compliance.

• The Attestation of Compliance for Onsite Assessments – Service Providers must be completed by all service providers validating compliance and their assessor and submitted to Visa. The Attestation of Compliance for Onsite Assessments – Service Providers can be found here.

• The Quarterly Network Security Scan is an automated tool that checks systems for vulnerabilities. It conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the service provider. Level 1 and 2 service providers are responsible for ensuring that a quarterly network scan is performed on their Internet-facing perimeter systems by an Approved Scanning Vendor.

A Visa client who uses a service provider, or whose merchant uses a service provider, that is not compliant should refer that service provider to this site for information on how to become compliant.

For more information

To learn more about Visa’s compliance programs, contact Visa via email at AskVisaUSA@Visa.com.

Visa’s Global Registry of Service Providers