Service Providers
Compliance validation details for service providers
Both issuers and acquirers must use, and are responsible for ensuring that their merchants use, service providers that are compliant with the PCI Data Security Standard (DSS). Although there may not be a direct contractual relationship between merchant service providers and acquirers, Visa issuers and acquirers are responsible for any liability that may occur as a result of non-compliance.
To locate a validated service provider, download the Global List of PCI DSS Validated Service Providers (PDF | 335kb).
Service provider registration
Service providers must be registered with Visa prior to inclusion on the list of PCI DSS-compliant service providers. For more information about the registration process, review Third Party Agent (TPA) frequently asked questions (FAQs)
On this page
Service provider levels defined
Service providers are organizations that process, store, or transmit Visa cardholder data on behalf of Visa clients, merchants, or other service providers. Service provider levels are defined as:
| Service Provider Level | Description |
|---|---|
| 1 | VisaNet processors or any service provider that stores, processes and/or transmits over 300,000 Visa transactions annually |
| 2* | Any service provider that stores, processes and/or transmits less than 300,000 Visa transactions annually |
*Effective February 1, 2009, Level 2 service providers will not longer be listed on Visas' List of PCI DSS Compliant Service Providers. Entities that wish to be on the Global List of PCI DSS Validated Service Providers must validate as a Level 1 provider.
Compliance validation basics
In addition to adhering to the PCI DSS, compliance validation is required for all service providers.
| Level | Validation Action | Validated By | Due Date |
|---|---|---|---|
| 1 |
|
|
2/01/09 |
| 2 |
|
|
2/01/09 |
Validation procedures and documentation
Effective February 1, 2009, Visa will only require submission of an executed Attestation of Compliance Form and the “Executive Summary” section of the service provider’s Report on Compliance (ROC) to demonstrate PCI DSS compliance as a Level 1 service provider. Level 2 service providers will submit version D of the Self-Assessment Questionnaire (SAQ).
All materials must be sent securely via PGP encryption to pcirocs@visa.com. If PGP is not available, please contact Visa at cisp@visa.com to discuss an alternative submission method. Qualified Security Assessors (QSAs) must submit only fully executed Attestation of Compliance forms, properly signed by the QSA and the service provider confirming compliance with the PCI DSS. The ROC Executive Summary must clearly state the scope of the service provider’s PCI DSS assessment. Visa reserves the right to require submission of a service provider’s complete ROC.
The global service provider levels and new PCI DSS compliance validation submission process will go into effect on February 1, 2009. U.S. service providers that validate PCI DSS compliance and submit their required PCI DSS compliance validation documentation to Visa prior to February 1, 2009, will be accepted under previous service provider levels and submission process.
-
The Annual On-Site PCI Data Security Assessment must be completed for Level 1 providers according to the PCI Requirements and Security Assessment Procedures v1.2 document. This document is also to be used as the template for the Report on Compliance.
Level 1 service providers should engage a Qualified Security Assessor to complete the Report on Compliance.
Download the PCI Data Security Standard v1.2.
-
The Attestation of Compliance for Onsite Assessments – Service Providers must be completed by all service providers validating compliance and their assessor and submitted to Visa. The Attestation of Compliance for Onsite Assessments – Service Providers can be found in the PCI Requirements and Security Assessment Procedures v1.2 document.
Download the Attestation of Compliance for Onsite Assessments – Service Providers. -
The Quarterly Network Security Scan is an automated tool that checks systems for vulnerabilities. It conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the service provider. Level 1 and 2 service providers are responsible for ensuring that a quarterly network scan is performed on their Internet-facing perimeter systems by an Approved Scanning Vendor.
Download the Approved Scanning Vendor.
A Visa client who uses a service provider, or whose merchant uses a service provider, that is not compliant should refer that service provider to this site for information on how to become compliant.
For more information
To learn more about Visa's compliance programs, contact Visa via email at AskVisaUSA@Visa.com.
