Businesses & retailers

• About Visa
• Businesses
• Retailers and merchants
• Payment security
  • Overview
  • Merchants
  • Service providers
  • Payment applications
  • PIN security
  • Downloads & resources

Service providers

Service providers are organisations that process, store or transmit Visa cardholder data on behalf of Visa clients, merchants or other service providers.

Both issuers and acquirers must use service providers that are compliant with the Payment Card Industry Data Security Standard (PCI DSS). They are also responsible for ensuring that they and their merchants use such providers.  Although there may not be a direct contractual relationship between merchant service providers and acquirers, Visa issuers and acquirers are responsible for any liability that may occur as a result of non-compliance.

We maintain a list of PCI DSS validated service providers to help you locate a validated service provider in Europe. Download the PCI DSS Validated Service Providers List PDF 0.3MB or find out more about submission and validation procedures.

Service provider levels

Service providers are split into two levels based on the volume of annual Visa transactions. Service provider levels are defined as:

Level one

Visa System processors or any service provider that stores, processes and/or transmits more than 300,000 Visa transactions annually.

Level two

Any service provider that stores, processes and/or transmits fewer than 300,000 Visa transactions annually.

Only level one service providers appear on our PCI DSS Validated Service Provider List (PDF 0.35MB)

Compliance validation

All service providers must be able to verify and demonstrate PCI DSS compliance. Compliance validation requirements The requirements for both levels are outlined below.

Level	Validation action	Validated by	Due date
1	Annual On-site PCI Data Security Assessment Quarterly Network Scan	Qualified Security Assessor Approved Scanning Vendor	1 April 2009
2	Annual PCI Self-Assessment Questionnaire Quarterly Network Scan	Service Provider Approved Scanning Vendor	1 April 2009

Compliance validation procedures

The following are the detailed compliance validation procedures for level one and two service providers. A Visa member who uses - or whose merchant uses - a service provider that is not compliant should refer that service provider to this site for information on how to become compliant.

All service providers

• Attestation of Compliance for On-site Assessments – Service Providers: This must be completed by all service providers validating compliance. It must be completed with their assessor and submitted to Visa. The attestation can be found in the PCI DSS Requirements and Security Assessment Procedures v1.2 / v2.0 document.
  
  Please note both versions can be used till December 2011, as of the 1st January 2012 we will only accept version 2.0.
  
  Visit the PCI Security Standards Council site to download the relevant documentation
• Quarterly Network Security Scan: This is an automated tool that checks systems for vulnerabilities and must be completed by all service providers. It conducts a non-intrusive scan to remotely review networks and web applications based in the externally facing Internet Protocol (IP) address provided by the service provider. Level one and two service providers are responsible for ensuring that a quarterly network scan is performed on their internet-facing perimeter systems by an Approved Scanning Vendor.
  
  Visit the PCI Security Standards Council site to download the relevant documentation

Level one service providers only

• Annual On-site PCI Data Security Assessment: This must be completed by level one service providers according to the PCI DSS Requirements and Security Assessment Procedures v1.2 document. This document is also to be used as the template for the Report on Compliance (ROC). level one service providers should engage a Qualified Security Assessor to complete the ROC.
  
  Visit the PCI Security Standards Council site to download the relevant documentation

Level two service providers only

• Self-Assessment Questionnaire (SAQ): This must be completed by level two service providers; level two service providers will not appear on the list of PCI DSS validated service providers unless they undergo a level one onsite security assessment. They should submit version D of the SAQ version 1.2 / 2.0 which also includes an Attestation of Compliance (AOC). We will keep a record of the self-assessment on file.
  
  Please note both versions can be used till December 2011, as of the 1st January 2012 we will only accept version 2.0.

PCI DSS Validated Service Providers List

Visa Europe manages a list of service providers who have undergone an on-site security assessment in accordance with the requirements for a level one service provider. The list is updated monthly. The documentation submission procedures and validation dates are explained below.

Documentation submission procedures

All materials must be sent securely via PGP encryption to pcidsseurope@visa.com. If PGP is not available, please contact Visa at pcidsseurope@visa.com to discuss an alternative submission method.

Qualified Security Assessors (QSAs) must submit only fully executed Attestation of Compliance (AOC) forms, properly signed by the QSA and the service provider confirming PCI DSS compliance. The ROC and the QSA confirmation form must clearly state the scope of the service provider’s PCI DSS assessment. The deadline for submission of fully correct documentation is the 15th of each month for inclusion in the update at the end of that month. Where a ROC and/or AOC must be returned to the QSA due to errors or omissions, we will inform the service provider so that they are aware of delays.

All issues relating to the quality of documentation received will result in the return of the documentation and delays in being listed. Significant or repeated issues will be reported to the PCI SSC.

The following must be sent to Visa Europe at pcidsseurope@visa.com in order for a service provider to appear on the list of validated service providers:

1. Attestation of Compliance (AOC)
2. The AOC must refer to the correct version and date of the final ROC and must be signed by both the QSA and the service provider.

Visit the PCI Security Standards Council site to download the relevant documentation

1. Report on Compliance (ROC)
   The ROC must be completed using the template provided in the PCI Requirements and Security Assessment Procedures v1.2 / 2.0 document. Level one service providers should engage a QSA to complete the ROC. Details of the Quarterly Network Scans should be included in the ROC.
   
   Please note both versions can be used till December 2011, as of the 1st January 2012 we will only accept version 2.0.
   
   Visit the PCI Security Standards Council site to download the relevant documentation
   
   
2. PCI DSS Scope and QSA Confirmation
   QSAs should submit a PCI DSS Scope and QSA Confirmation form supplied by Visa Europe. The confirmation covers two areas:
   • Scope of services included in the audit
   • Confirmation that the documents have been quality checked by a second qualified person. This excludes organisations where there is only one QSA.
   • Download the PCIDSS scope and confirmation document v3 PDF 0.5MB
3. Agent Registration
   All service providers must be registered with Visa Europe as an agent by a Visa Europe member prior to appearing on the list of validated service providers. The process for registering an agent is to contact your acquirer and request to be registered with Visa Europe.
   
   Service providers based outside of Europe can appear on the list of validated service providers if they are registered by a Visa Europe member. It is the responsibility of the service provider to ensure that they are registered correctly.                                                                                                
   
   Note: Visa Europe will not necessarily review the contents of the SAQ or ROC.  This is because Visa Europe members who use the service providers are responsible for reviewing the accuracy of the validation documentation.
   
   
4. Validation dates
   The Validation Date is the month in which the service provider is PCI DSS compliant as validated by a Qualified Security Assessor (QSA). The Annual Revalidation Date is 12 months from the Validation Date. On our list of PCI DSS validated service providers, orange indicates where service providers are 1 to 60 days behind in their annual revalidation. Red is for those that are 61 to 90 days behind. Once the service provider has revalidated their compliance and submitted the appropriate documentation, the listing will return to black with their new validation date. A service provider that does not revalidate PCI DSS compliance within 90 days of its annual due date will be removed from the list.

More information

Contact Visa Europe at agentcompliance@visa.com to learn more about Visa Europe's data security compliance programmes.