Service providers

Service providers are organisations that process, store or transmit Visa cardholder data on behalf of Visa clients, merchants or even other service providers. They consist of merchant agents (who provide services to merchants) and member agents (who provide services to members).

Issuers and acquirers are responsible for making sure all service providers are Payment Card Industry Data Security Standard (PCI DSS) compliant and are registered with Visa Europe in the correct way.

Registering service providers with Visa Europe

Service provider levels

There are two levels of service provider depending on the annual number of transactions they store, process or transmit.

Level 1 member agents

Visa System Processors or any service provider that stores, processes and/or transmits more than 300,000 Visa transactions annually.

Level 2 member agents

Any service provider that stores, processes and/or transmits fewer than 300,000 Visa transactions annually.

Steps to registering a member agent with Visa Europe

Step 1: Demonstrating PCI DSS compliance

Members must be able to verify and demonstrate PCI DSS compliance for any member agents. Validation documents (see below) can be submitted by the Member, the member agent or the Qualified Security Assessor (QSA) using the process described. You can find copies of all the documents mentioned below on the PCI DSS website with the exception of the Scope of Audit form which QSAs can obtain by emailing pcidsseurope@visa.com

Validation documents required for Level 1 member agents

Level 1 member agents should be able to provide and submit the following documents to Visa Europe:

  • 1. Attestation of Compliance (AOC)
    This must be completed by a QSA for all Level 1 member agents validating compliance. The attestation can be found in the PCI DSS Requirements and Security Assessment Procedures v1.2 / v2.0 document. If the assessment was carried out before 31 December 2011 you should use version 1.2 of the AOC. For any assessments carried out after, you should use version 2.0. The AOC must refer to the correct version and date of the final Report on Compliance (ROC) and must be signed by both the QSA and the member agent.
  • 2. Report on Compliance (ROC)
    The ROC can be completed using the template provided in the PCI DSS Requirements and Security Assessment Procedures. If the assessment was carried out before 31 December 2011 you should use version 1.2. For any assessments carried out after, you should use version 2.0 of the ROC. Level 1 member agents should engage a QSA to complete the ROC. Details of the passed quarterly network scans should be included in the ROC.
  • 3. Agent Registration and Designation (ARD) form
    All member agents must also be properly registered with Visa Europe as an agent by a Visa Europe Member by submitting an ARD form. Member agents based outside of Europe can be listed on Visa Europe’s List of PCI DSS compliant service providers if they are registered by a Visa Europe Member. It is the responsibility of the member agent to request that the Visa Europe member they provide services to, either directly, or through a merchant registers them correctly. If you are a member agent, you can download a copy of the ARD form via www.visaonline.com.
  • 4. Scope of Audit form
    QSAs will hold copies of the Scope of Audit form. These should be completed and signed by the QSA and submitted along with other documentation.
  • 5. A passed quarterly network scan provided by an Approved Scanning Vendor (ASV)
    This is an automated tool that checks systems for vulnerabilities. Level 1 and 2 member agents are responsible for ensuring that they perform a network scan on at least a quarterly basis on their internet-facing perimeter systems by an ASV. You can find a list of ASVs here.

Validation documents required for Level 2 member agents

Level 2 member agents should be able to provide and submit the following documents to Visa Europe:

  • 1. Annual Self-Assessment Questionnaire (SAQ) including the Attestation of Compliance (AOC)
    Level 2 member agents should submit version D of the SAQ. If it was completed before 31 December 2011, you should use version 1.2. After this, you should make sure you use version 2.0. The SAQ should also include an AOC. We will keep a record of the self-assessment on file. Level 2 member agents will not appear on the list of PCI DSS validated service providers unless they undergo a Level 1 onsite security assessment by a QSA.
  • 2. A passed quarterly network scan provided by an ASV
    This is an automated tool that checks systems for vulnerabilities. Level 1 and 2 member agents are responsible for ensuring that they perform at least a quarterly network scan is performed on their internet-facing perimeter systems by an ASV. You can find a list of ASVs here.
  • 3. Scope of Self Validation form
    You will need to submit and complete a Scope of Self Validation form. These should be completed and signed by the QSA and submitted along with the other documentation listed. You can obtain a copy by emailing agentcompliance@visa.com.
  • 4. Agent Registration and Designation (ARD) form
    All member agents must also be properly registered with Visa Europe as an agent by a Visa Europe Member by submitting an ARD form. Member agents based outside of Europe can be listed on Visa Europe’s List of PCI DSS compliant service providers if they are registered by a Visa Europe Member. It is the responsibility of the member agent to request that the Visa Europe member they provide services to, either directly, or through a merchant registers them correctly. A copy of the ARD form can be downloaded via www.visaonline.com.

Step 2: Submitting documentation to Visa Europe

All PCI DSS materials should be sent securely via PGP encryption to pcidsseurope@visa.com. If you wish to download your own copy of PGP please visit www.pgp.com. If you wish to exchange PGP keys with Visa Europe please contact us at pcidsseurope@visa.com. The ARD form should be sent to agentcompliance@visa.com.

Step 3: Make sure documentation is up-to-date

Remember that PCI DSS compliance is an annual process and should be validated each year. The validation date is the month in which the member agent is PCI DSS compliant as validated by a QSA. The annual revalidation date is 12 months from the validation date.

Deadlines for submission

The deadline for submission of fully correct documentation for the Visa Europe web listing is the 15th of each month, for inclusion in the update effective at the start of the next month. No deviations or extensions will be permitted.

More information

Email us at agentcompliance@visa.com.