Cardholders   Commercial   Merchants   Value of Visa   Media Center      New Zealand  
Search:

Navigation

    Card Acceptance Account Info Security Visa Payment Security Services Chip Technology Travellers Cheque Acceptance Merchant Education

Account Information Security (AIS)

Service Providers


Introduction

Service providers are organizations that process, store, or transmit Visa cardholder data on behalf of Visa acquirers/issuers, merchants, or other service providers. 
 
Visa issuers and acquirers are responsible for ensuring that all of their service providers comply with the PCI Data Security Standard (DSS) requirements. Visa has prioritized the compliance validation based on the volume of transactions, the potential risk, and exposure introduced into the payment system.
 
Service providers that are directly connected to VisaNet via the VisaNet Extended Access Server (VEAS) are classified as Third Party VisaNet Processors (VNPs). For validation requirements for Third Party VNPs, please click here.

Back to top

Service Provider Levels

Service providers are classified into one of two service provider levels: 
 
Service Provider LevelDescription
1 
Any service provider that stores, processes or transmits
more than 300,000 Visa accounts/transactions* annually

2

Any service provider that stores, processes or transmits
less than 300,000 Visa accounts/transactions* annually


Includes all transactions, regardless of type / channel
 
Service providers that are directly connected to VisaNet via the VisaNet Extended Access Server (VEAS) are classified as Third Party VisaNet Processors (VNPs), regardless of annual transaction volume. For validation requirements for Third Party VNPs, please click here.

Back to top

Compliance Validation Requirements

Under the AIS program, service providers must validate their compliance with PCI DSS as follows: 
Level 1Level 2
More than 300,000 Visa transactions per yearLess than 300,000 Visa transactions per year

Annual PCI DSS onsite review by a PCI SSC Qualified Security Assessor (QSA)

MandatedRecommended

Quarterly network scan by a PCI SSC Approved Scanning Vendor (ASV)

MandatedMandated

Annual PCI DSS
self-assessment
questionnaire (SAQ)

OptionalMandated
 
For details on the validation methods, please click here.

Back to top

Required Compliance Documentation

Visa acquirers / issuers are required to submit to Visa annually the following documents for every one of their service providers unless the service provider has already registered via the Visa Registry of Service Providers Program
 
Service Provider LevelDocuments
Level 1 
1. Executed Attestation of Compliance form.

2. Executive Summary and the Description of  Scope
    of Work and Approach Taken sections of the Report
    on Compliance ("ROC") issued by the QSA. The full
    ROC is not required. However, Visa reserves the rights
    to require the submission of the full ROC.

Level 2

1. Self-Assessment Questionnaire ("SAQ") Version D.
    Visa will not review the contents of the SAQ as issuers
    and acquirers are responsible for reviewing the accuracy
    of the SAQ. 

Back to top

Registry of Service Providers

The Registry of Service Providers is an optional program that service providers can join for the following benefits: 
 
1. Submit their compliance documents (as above) directly to Visa; instead of to all Visa issuers/acquirers that they work with.
 
2. Get listed on the Registry of Service Providers ("Registry") if they have been reported to be fully compliant with PCI DSS via an onsite review by a QSA. Additional information on the service provider such as list of services offered and contact person details will be made available on the Registry.
 
Level 2 service providers that have only completed a self-assessment and performed quarterly network scans are encouraged to register but will not be listed on the Registry.
 
Visa requires service providers to validate PCI DSS compliance every 12 months.  Listed service providers that are 1-60 days late are denoted in yellow and those that are 60-90 days late in red. A service provider that does not revalidate full PCI DSS compliance within 90 days of its annual due date will be removed from the Registry.
 
Click here to find out more about the program and to view the Registry.

Back to top

  • Printable Page

Quick Links

 

External Links

 
 
Home | About Visa | Careers | Site Map | Legal | Privacy Policy | Hyperlink Guidelines | Global Sites | Asia Pacific Sites
© Copyright Visa. All Rights Reserved.