| Q: | Can a service provider that has only completed a PCI DSS self-assessment be listed on the Registry? |
| A: | No. Only service providers that have validated their PCI DSS compliance based on an onsite review by a PCI SSC QSA can be listed on the Registry.
|
 |
| Q: | Can I use a service provider that is not listed on the Registry to process card transactions on my behalf? |
| A: | Yes, as long as the service provider is PCI DSS compliant. It is your responsibility to validate their compliance at least once every year. |
|
| Q: | Do I need to submit the annual Attestation of Compliance to Visa for all my service providers? |
| A: | No - if your service provider has directly registered with Visa. For those that are not directly registered with Visa, you are required to submit to Visa the required attestation documents on their behalf. |
|
| Q: | Am I still liable for my service providers that are listed on the Registry? |
| A: | Yes. You remain liable for all service providers that you have a contractual relationship in accordance with the Visa International Operating Regulations (VIOR). |
|
| Q: | Do I still need to register my service providers with Visa if they are listed on the Registry? |
| A: | Yes. You are still required to register all your service providers under the Third-Party Agent registration program as mandated in Visa International Operating Regulations (VIOR) Section 1.15 (using Exhibit 5E). |
|
| Q: | Do I need to perform due diligence prior to registering a service provider? |
| A: | Yes. Visa client banks are still required to perform due diligence as required by the Visa International Operating Regulations (VIOR) Section 1.15 and the applicable Visa International By-Laws to mitigate any potential risk. |
Southeast Asia
