
Service Providers
Compliance validation details for service providers
Both issuing and acquiring members must use, and are responsible for ensuring that their merchants use, service providers that are compliant with the PCI Data Security Standard. Although there may not be a direct contractual relationship between merchant service providers and acquiring members, Visa members are responsible for any liability that may occur as a result of non-compliance.
To locate a validated service provider, download the List of CISP-Compliant Service Providers (PDF, 132k).
Service provider registration
Service providers must be registered with Visa prior to inclusion on the list of CISP-compliant service providers. For more information about the registration process, contact Visa via email at riskinfo@Visa.com.
On this page
Service provider levels defined
Service providers are organizations that process, store, or transmit Visa cardholder data on behalf of Visa members, merchants, or other service providers. Service provider levels are defined as:
| Service Provider Level | Description |
|---|---|
| 1 | All VisaNet processors (member and Nonmember) and all payment gateways.* |
| 2 | Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually. |
| 3 | Any service provider that is not in Level 1 and stores, processes, or transmits fewer than 1,000,000 Visa accounts/transactions annually. |
*Payment gateways are a category of agent or service provider that stores, processes, and/or transmits cardholder data as part of a payment transaction. Specifically, they enable payment transactions (e.g., authorization or settlement) between merchants and processors (VisaNet endpoints). Merchants may send their payment transactions directly to an endpoint, or indirectly to a payment gateway.
Compliance validation basics
In addition to adhering to the PCI Data Security Standard, compliance validation is required for all service providers.
| Level | Validation Action | Validated By | Due Date |
|---|---|---|---|
| 1 |
|
|
9/30/04 |
| 2 |
|
|
9/30/04 |
| 3 |
|
|
9/30/04 |
Validation procedures and documentation
Service providers must validate their compliance by submitting the required documentation to Visa. Compliance validation takes place at the service provider's expense, as follows:
-
The Annual On-Site PCI Data Security Assessment must be completed for Level 1 and 2 service providers according to the PCI Security Audit Procedures document. This document is also to be used as the template for the Report on Compliance.
Level 1 and 2 service providers should engage a Qualified Security Assessor to complete the Report on Compliance.
Download the PCI Security Audit Procedures. -
The Annual PCI Self-Assessment Questionnaire must be completed by Level 3 service providers.
Download the PCI Self-Assessment Questionnaire. -
The Quarterly Network Security Scan is an automated tool that checks systems for vulnerabilities. It conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the service provider. Level 1, 2, and 3 service providers are responsible for ensuring that a quarterly network scan is performed on their Internet-facing perimeter systems by an Approved Scanning Vendor.
Download the Approved Scanning Vendor. -
The Confirmation of Report Accuracy (Service Providers) must be completed by all service providers validating compliance and their assessor and submitted to Visa.
Download the Confirmation of Report Accuracy (Service Providers) (DOC, 126k).
A member who uses a service provider, or whose merchant uses a service provider, that is not compliant should refer that service provider to the CISP site for information on how to become compliant.
For more information
To learn more about the Visa CISP, contact Visa via email at AskVisaUSA@Visa.com.

