Cardholders   Commercial   Merchants   Value of Visa   Media Center      South Asia  
Search:

Navigation

    Card Acceptance Account Info Security Payment Applications Chip Technology Travellers Cheque Acceptance Merchant Education

Account Information Security (AIS)

VisaNet Processors (VNPs)


Introduction

VisaNet Processors (VNPs) are entities (Visa client and non-Visa client) that are directly connected to the Visa payment network and fulfill an essential role in the payment process and in protecting cardholder data. 
 
Visa's guiding principles for Payment Card Industry Data Security Standards (PCI DSS) compliance for VNPs and service providers are:

  • All client VNPs and service providers that store, process and/or transmit card data must comply with PCI DSS
  • Visa clients are responsible and liable for the actions of their service providers; at a minimum they must ensure that cardholder data is properly protected by complying with PCI DSS
  • All VNPs and service providers that store, process and/or transmit card data must demonstrate their PCI DSS compliance every 12 months

Types of VisaNet Processors 

VisaNet Processors (VNPs) are classified into three categories:
 
Description

1

Third party VNPs are entities (non-Visa clients) that are connected directly to VisaNet and provide issuer and/or acquirer card processing services to Visa clients, merchants and/or other service providers.


2

Client VNPs acting as service providers are Visa clients or
client-owned entities that are connected directly to VisaNet who provide issuer and/or acquirer card processing services to other Visa clients, merchants that are not acquired by them and/or others.


3

Client Acquiring VNPs are Visa acquirers or client-owned VNPs that only process acquiring transactions for their merchants only and using BINs specifically licensed to them.


Back to top

Compliance Validation and Submission Requirements

VisaNet processors (VNPs) have to validate their PCI DSS compliance as follows: 
 
Validation RequirementsSubmission Requirement
Third Party
VNPs

Client VNPs
acting as 
Service
Providers

- Annual PCI DSS onsite review
  by a Qualified Security Assessor
  (QSA)

- Quarterly network scan by an
  Approved Scanning Vendor
  (ASV)


Submit Report on Compliance
(ROC) issued by a Qualified
Security Assessor (QSA) and
completed Attestation of
Compliance form, indicating full
PCI DSS compliance.

Client
Acquiring VNPs
 

- Annual PCI DSS onsite review
  by a Qualified Security Assessor
  (QSA) or Internal review

- Quarterly network scan by an
  Approved Scanning Vendor
  (ASV)


Submit PCI DSS Report on
Compliance (ROC) identifying
level of compliance, and
completed Attestation of
Compliance form. If not fully
compliant, a remediation plan must
be provided to Visa.

 
All submission is to be sent to vpssais@visa.com.

Back to top

New VisaNet Processors 

All new issuing and acquiring VNPs, including existing VNPs that implement new connections to Visa, must comply with the Visa connection requirements, including:

  • Prior to connecting to VisaNet, the entity must demonstrate full compliance with PCI DSS via the submission of the Report on Compliance (ROC) issued by the Qualified Security Assessor (QSA) and the completed Attestation of Compliance form to Visa.

Back to top

  • Printable Page

Quick Links

 

External Links

 
 
Home | About Visa | Careers | Site Map | Legal | Privacy Policy | Hyperlink Guidelines | Global Sites | Asia Pacific Sites
© Copyright Visa. All Rights Reserved.