Skip to: Content, Section Navigation, Search

Third Party Agent

The Agent Registration Program supports Visa clients to comply with Visa Inc. Operating Regulations ("Visa rules") and policies regarding their use of Third Party Agents (TPAs). Visa Issuing and Acquiring clients are required to perform due diligence reviews of their TPAs to ensure that they understand the TPA business model, financial conditions, background and compliance status including but not limited to Payment Card Industry Data Security Standard (PCI DSS) and Payment Card Industry PIN Standards (PCI PIN). Agent registration is required for all entities performing solicitation activities and / or storing, processing or transmitting Visa account numbers for Visa clients (or on behalf of their merchants).

A TPA can perform any or all of the functions of an: Independent Sales Organization (ISO), Third Party Servicer (TPS), Encryption Support Organization (ESO) and Merchant Servicer (MS). Each function performed by the TPA must be registered by each Visa client that is utilizing those services. TPA functions that require registration include but are not limited to:

  • Merchant or cardholder solicitation activities and / or customer service — these are performed by an ISO
  • Prepaid program solicitation activities and / or customer service — these are performed by an ISO
  • Loading or injecting encryption keys into ATMs, terminals or PIN pads — these are performed by an ESO
  • Loading software into an ATM or terminal — these are performed by an ESO
  • Storing, processing or transmitting Visa account numbers — these are performed by either a TPS or a MS
  • Deploying and / or servicing ATMs – these are preformed by an ISO

On this page

Details for all service providors

Both issuers and acquirers must use, and are responsible for ensuring that their merchants use, service providers that are properly registered with Visa. Where applicable they must also ensure that all such entities are compliant with the PCI DSS and PCI PIN. Although there may not be a direct contractual relationship between merchant service providers and acquirers, Visa acquirers are responsible for any liability that may occur as a result of non-compliance.

Service providers who store, process or transmit cardholder data must be registered with Visa prior to inclusion on the list of PCI DSS-validated service providers. To locate a validated service provider, download the Global List of PCI DSS-Compliant Service Providers (PDF | 305k).

Service providers who perform solicitation activities or perform ATM support activities must be registered with Visa to be included on the List of Registered Independent Sales Organizations (ISO) and Encryption Support Organizations (ESO). To locate a properly registered ISO or ESO, download the List of Registered Independent Sales Organizations and Encryption Support Organizations (PDF | 482k).

For more information about the registration process, review Third Party Agent (TPA) frequently asked questions (FAQs) (PDF | 35k). For specific questions not covered in the FAQs, contact Visa via email at AgentRegistration@Visa.com.

Back to top

Service provider levels defined

Service providers are organizations that process, store, or transmit Visa cardholder data on behalf of Visa Issuing and Acquiring clients, merchants, or other service providers. Service provider levels are defined as:

1 VisaNet processors or any service provider that stores, processes and/or transmits over 300,000 transactions per year
2* Any service provider that stores, processes and/or transmits fewer than 300,000 transactions per year

*Effective February 1, 2009, Level 2 service providers will not longer be listed on Visas' List of PCI DSS Compliant Service Providers. Entities that wish to be on the Global List of PCI DSS Validated Service Providers must validate as a Level 1 provider.

Back to top

Compliance validation basics

In addition to adhering to the PCI DSS, compliance validation is required for all service providers.

1
  • Annual On-Site PCI Data Security Assessment
  • Quarterly Network Scan
  • Qualified Security Assessor
  • Approved Scanning Vendor
2
  • Annual PCI Self-Assessment Questionaire
  • Quarterly Network Scan
  • Service Provider
  • Approved Scanning Vendor

Back to top

Validation procedures and documentation

Effective February 1, 2009, Visa will only require submission of an executed Attestation of Compliance Form and the "Executive Summary" section of the service provider's Report on Compliance (ROC) to demonstrate PCI DSS compliance as a Level 1 service provider. Level 2 service providers will submit version D of the Self-Assessment Questionnaire (SAQ).

All materials must be sent securely via Pretty Good Privacy (PGP) encryption to pcirocs@visa.com. If PGP is not available, please contact Visa at pcirocs@visa.com to discuss an alternative submission method. Qualified Security Assessors (QSAs) must submit only fully executed Attestation of Compliance forms, properly signed by the QSA and the service provider confirming compliance with the PCI DSS. The ROC Executive Summary must clearly state the scope of the service provider's PCI DSS assessment. Visa reserves the right to require submission of a service provider's complete ROC.

All service providers must be PCI compliant prior to beginning services in which they would have access to cardholder data.

The Annual On-Site PCI Data Security Assessment must be completed for Level 1 providers according to the PCI Requirements and Security Assessment Procedures v1.2 document. This document is also to be used as the template for the Report on Compliance.

Level 1 service providers must engage a Qualified Security Assessor to complete the Report on Compliance.

Download the PCI Data Security Standard v1.2.

The Attestation of Compliance for Onsite Assessments – Service Providers must be completed by all service providers validating compliance and their assessor and submitted to Visa. The Attestation of Compliance for Onsite Assessments – Service Providers can be found in the PCI Requirements and Security Assessment Procedures v1.2 document.

Download the Attestation of Compliance for Onsite Assessments – Service Providers.

The Quarterly Network Security Scan is an automated tool that checks systems for vulnerabilities. It conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the service provider. Level 1 and 2 service providers are responsible for ensuring that a quarterly network scan is performed on their Internet-facing perimeter systems by an Approved Scanning Vendor.

Download the list of Approved Scanning Vendors.

A Visa client who uses a service provider, or whose merchant uses a service provider, that is not compliant with the PCI DSS should refer that service provider to this site for information on how to get registered and validate PCI DSS compliance.

Back to top

For more information

To learn more about Visa's compliance programs, contact Visa via email at AskVisaUSA@Visa.com.

Downloads

Related Information

  • Service Providers
    Compliance validation details for service providers.
  • Alerts, Bulletins & Webinars
    Visa issues security alerts when vulnerabilities are detected in the marketplace.
  • Tools and FAQ
    Take advantage of these valuable resources to learn more about the PCI Data Security Standard and Visa compliance requirements.