Payment Card Industry Data Security Standard (PCI DSS) Validated Service Providers

Service providers that store, process or transmit Visa cardholder data must be registered with Visa and demonstrate PCI DSS compliance¹. PCI DSS compliance validation is required every 12 months for all service providers. Inclusion on the Registry indicates only that the service provider successfully validated PCI DSS compliance with an on-site assessment, based on the report of an independent Qualified Security Assessor (QSA), and has met all applicable Visa program requirements.

Annual Revalidation

Service providers that store, process or transmit Visa cardholder data must demonstrate PCI DSS compliance and provide the compliance validation to Visa every 12 months. Non-compliance assessments begin at 10,000 USD per service provider (assessed to each registering Visa member).

The Registry is updated once a month. For service providers published on the Registry, if Visa does not receive the appropriate revalidation documents:

• Within 1 - 60 days upon expiry of the validation documents, the service provider will be highlighted in Yellow on the Registry
• Within 61 - 90 days upon expiry of the validation documents, the service provider will be highlighted in Red on the Registry.
• After 91 days, the service provider will be removed from the Registry.

Please note that Visa reserves the rights to remove any service provider from the Registry at its discretion.

Back to top

Visa Third Party Agent Program (Independent Sales Organizations / Encryption Support Organizations)

Third Party Agents that perform solicitation activities (ISO) or deploy ATM, POS or kiosk PIN acceptance devices and/or manage encryption keys (ESO) without touching cardholder data must be registered with Visa. Inclusion on the Registry indicates only that the service provider successfully completed registration with Visa.

Changes and Updates

Service providers are required to notify their financial institution(s) of changes to any information such as: legal name / business aliases; doing business as name (DBA); mergers and acquisitions; legal location or additional business locations; company point of contact; types of services offered; number of Visa transactions or accounts processed annually; compliance status (where applicable); and financial solvency.

Back to top

Visa Access Control Server (ACS) Service Provider Program

Access Control Server (ACS) Service Providers are third-party providers of 3D Secure ACS services that enable secure processing of payment transactions over the Internet. Visa approved ACS Service Providers have validated their security and program compliance to Visa and are listed on the Visa Global Registry of Service Providers.

Prospective ACS service providers seeking to participate in Visa's ACS Service Provider Program must undergo on-site inspections and reviews of their financial background.

Validation

Approved ACS Service Providers offering services to Visa issuers for online internet transactions must demonstrate compliance to Visa program requirements and applicable security requirements. Contact your Visa Risk Representative to learn about program and validation requirements for your region.

The Registry is updated once a month. For ACS Service Providers published on the Registry, if Visa does not receive the revalidation documents:

• Within 1 - 60 days upon expiry of the validation documents, the service provider will be highlighted in Yellow on the Registry.
• Within 61 - 90 days upon expiry of the validation documents, the service provider will be highlighted in Red on the Registry.
• After 91 days, the service provider will be removed from the Registry.

Changes and Updates

Visa approved ACS Service Providers are required to notify Visa of changes to any information such as: legal name / business aliases; doing business as name (DBA); mergers and acquisitions; legal location or additional business locations; company point of contact; types of services offered; compliance status (where applicable); and financial insolvency.

Back to top

Visa Approved Vendor Program

Visa Approved Vendors are third-party providers of Visa products or services who have validated their security compliance to Visa. Prospective vendors seeking to participate in the Approved Vendor Program (AVP) must undergo due diligence reviews, on-site inspections and reviews of their financial background. They must also sign a contract before participating in the AVP program. Final approval of a new facility is given once the security of the facility is confirmed and, if applicable, the vendor's finished product samples have been successfully reviewed and approved for quality and consistency. When granted, vendor approval is provided by Visa to ensure certain security and operational characteristics important to the Visa systems and products as a whole. However, this does not, under any circumstances, include any endorsement or warranty regarding the functionality, quality, or performance of any particular product or service. Visa does not warrant any products or services provided by third parties. All rights and remedies regarding products and services, which have received Visa approval, shall be provided by the party providing such products or services, and not by Visa.

The Visa Rules require Members to use only approved vendors, Visa or another Issuer for the manufacture, personalization, chip embedding, initialization, data preparation, fulfillment of Visa products, over-the-air (OTA) personalization or cloud-based payment providers in support of Visa’s cloud-based payments program.

The Visa Global Registry of Service Providers lists all approved vendors (card manufacturers, magnetic-stripe card personalizers, IC personalizers, IC pre-personalizers, over-the-air personalizers and cloud-based payment providers) approved by Visa to produce Visa products or perform cloud-based services under the Visa Approved Vendor Program.

Members placing orders for the manufacture, personalization, fulfillment, or initialization of Visa products or contracting for cloud-based services may contract with any of the Visa approved vendors on the list.

Annual Revalidation

All approved vendors providing services to Visa issuers for payment products bearing the trademark or service marks of Visa must on an annual basis, comply with; Visa program requirements, including submission of annual reporting and payment of program fees, PCI Card Production Security Requirements and/or other applicable security requirements. Approved vendors must demonstrate compliance to required security requirements every 12 months. For approved vendors published on the Registry, if Visa does not receive the revalidation documents or the approved vendor falls into program non-compliance:

The Registry is updated once a month.

• Within 1 - 60 days upon notification of being placed in a Warning Status, the vendor will be highlighted in Yellow on the Registry.
• Within 61 - 90 days upon notification of being placed in a Probation Status, the vendor will be highlighted in Red on the Registry.
• After 91 days, the vendor will be removed from the Registry.

Applicable Security Requirements

Within the Approved Vendor Program, vendors are required to validate annually against one or more security requirements. Approved vendor security requirements are:

• PCI Card Production Physical Security Requirements
• PCI Card Production Logical Security Requirements
• Visa Global Physical Security Validation Requirements for Data Preparation, Encryption Support and Fulfillment Card Vendors
• Visa Global Security Requirements for Secure Element Vendors and OTA Service Providers
• Visa Cloud-Based Payments Provider Security Requirements

Note: PCI DSS does not apply to services within the Approved Vendor Program.

Changes and Updates

Visa approved vendors are required to notify Visa of changes to any information such as: legal name / business aliases; doing business as name (DBA); mergers and acquisitions; legal location or additional business locations; company point of contact; types of services offered; compliance status (where applicable); and financial insolvency.

Back to top

Visa PIN Security Program

New to the Visa Global Registry of Service Providers are Visa PIN Program participants who have successfully demonstrated compliance with Visa PIN Security Program requirements. The PIN Security Program outlines the minimum acceptable criteria for securing PINs and encryption keys.

The PIN Security Program focuses on entities that process PIN data or perform key management activities on behalf of Visa clients. Visa PIN Program participants include:

• PIN-Acquiring Third-Party VisaNet Processor (VNP) - A third-party entity that is directly connected to VisaNet and provides acquiring PIN processing services to members.
• PIN-Acquiring Client VisaNet Processor Acting as a Service Provider - A Visa member or member-owned entity that is directly connected to VisaNet and provides PIN-acquiring processing services to members and merchants.
• PIN-Acquiring Third-Party Servicers (TPS) - A PIN-acquiring agent that stores, processes or transmits Visa account numbers and PINs on behalf of Visa members.
• Encryption and Support Organization (ESO) - An entity deploying ATM, point-of-sale (POS) or kiosk PIN acceptance devices that process and accept cardholder PINs and/or manage encryption keys (i.e., key injection facilities).

Visa clients that utilize the services of validated PIN Program participants have reasonable assurance that the secrecy of cardholder PINs is maintain and the integrity of key management procedures is preserved.

The Visa Rules require Members to ensure their acquiring third party agents that process or handle PIN data comply with Visa PIN Security Program requirements and that their own processing environment(s) that process or handle PIN data comply with applicable security requirements.

Validation Requirements

PIN Program participants are required to contract directly with a Visa approved security assessor to perform an onsite review to demonstrate compliance to Visa program requirements and applicable security requirements. PIN program participants who successfully demonstrate compliance are listed on the Visa Global Registry of Service Providers.

PIN participants are required to revalidate their compliance every 24 months. Non-compliance assessments may be levied for failure to do so.

The Registry is updated once a month. For PIN Program participants published on the Registry, if Visa does not receive the revalidation documents:

• Within 1 - 60 days upon expiry of the validation documents, the PIN Program Participant will be highlighted in Yellow on the Registry.
• Within 61 - 90 days upon expiry of the validation documents, the PIN Program Participant will be highlighted in Red on the Registry.
• After 91 days, the PIN Program Participant will be removed from the Registry.

Changes and Updates

Visa PIN Program Participants are required to notify Visa of changes to any information such as: legal name / business aliases; doing business as name (DBA); mergers and acquisitions; legal location or additional business locations; company point of contact; types of services offered; compliance status (where applicable); and financial solvency.

Back to top

Visa Issuer Processor Program

The Visa Issuer Processor Program lists issuer processors that have met a minimum set of criteria to demonstrate to Visa that they are capable of supporting a new program implementation or conversion. The program is intended to support and catalyze growth of new and existing Visa Issuers by introducing capable processors on a geography and region specific basis. VIPP inclusion does not constitute a partnership or reseller agreement with Visa.

Validation requirements

While the assessment process will vary by region, a questionnaire will be provided to interested parties and is designed to ensure platform strength and capability, processing consistency and responsible business practices. Visa will request annual financial documentation and updates if any material changes to the processor occur at any time during the year.

Changes and Updates

Visa service providers are required to notify Visa of changes to any information including, but not limited to: legal name / business aliases; doing business as name (DBA); mergers and acquisitions; legal location or additional business locations; company point of contact; types of services offered; compliance status (where applicable); and financial insolvency.

Back to top

---

*The companies listed were validated as being PCI DSS compliant by a QSA as of the "VALIDATION DATE (1)". Service providers are required to revalidate their compliance to Visa every 12 months, with the Attestation of Compliance (AOC) and full Report on Compliance (ROC) (as applicable) due to Visa one year from the "VALIDATION DATE". Entities are listed in each Visa region where they have been registered by at least one client, including: AP - Asia Pacific, CEMEA - Central & Eastern Europe / Middle East / Africa, LAC - Latin America / Caribbean, CAN - Canada, U.S. - United States. Visa clients are responsible for and are required to use compliant service providers and to follow up with service providers directly if there are any questions about their compliance status. Visa clients are liable for the service providers they use.

⁽¹⁾PCI DSS assessments represent only a "snapshot" of security in place at the time of the review, and do not guarantee that those security controls remain in place after the review is complete. These reviews did not cover proprietary software solutions that may be used or sold by these service providers.

For service providers registered with Visa Europe, please go to https://www.visaeurope.com/receiving-payments/security/downloads-and-resources.

Please note that Visa reserves the rights to remove any service provider from the Registry at its discretion.