Guide to Visa Inc. Agents

Transcription

1 Guide to Visa Inc. Agents AGENT VisaNet Processor Third Party Agent PF DCC Client Acquiring VNP HRIPF ESO Client VNP acting as Service Provider ISO-Merchant ISO DCV ICPIA Third Party VNP ISO-Cardholder TPS ISO-ATM MS ISO-Prepaid CFS ISO-HR ACS Service Provider

2 Glossary Agent An entity that acts as a VisaNet Processor (VNP), Third Party Agent (TPA), or both. VisaNet Processor (VNP) An entity that is directly connected to VisaNet and provides authorization, clearing, or settlement services to merchants and/or clients. Full Name Client Acquiring VNP Client VNP acting as Service Provider Third Party VNP Definition Visa acquirers or client-owned VNPs that only process acquiring transactions for their merchants only and using BINs specifically licensed to them. (Registration not required.) Visa clients or client-owned entities that are connected directly to VisaNet who provide issuer and/or acquirer card processing services to other Visa clients, merchants that are not acquired by them and/or others. Entities (non-visa clients) that are connected directly to VisaNet and provide issuer and/or acquirer card processing services to Visa clients, merchants and/or other service providers Third Party Agent (TPA) An entity that is not defined as a VisaNet Processor that provides payment-related services, directly or indirectly, to a Visa client and/or stores, transmits, or processes cardholder data. A TPA must be registered by all Visa clients utilizing their services, directly or indirectly. A Third Party Agent is exempt from the registration requirements specified in Third Party Agent Registration Requirements and the associated fees if it only provides services on behalf of its affiliates (including parents and subsidiaries) and those affiliates are Members that own and control at least 25% of the Third Party Agent. (Visa International Operating Regulations October 2014)

3 Acronym Full Name Definition Entity that conducts merchant account or transaction processing solicitation, sales, customer service, and merchant training activities. Also acts on behalf of a client for merchant solicitation, sales, deployment or service of POS terminals or equipment. ISO- Merchant (ISO-M) ISO- Cardholder (ISO-C) ISO-ATM Independent Sales Organization Merchant Independent Sales Organization Cardholder Independent Sales Organization ATM (PIN Security) Entity does not have access to the merchant cardholder data (CHD) or the cardholder data environment (CDE). May also sell or resell gateway services (i.e. white label gateway) in conjunction with selling the merchant account and allow the merchant to implement a payment system solution without installing or configuring their own system. Entity will not sign merchant agreement and/or deposit transaction receipts and/or handle merchant s fund disbursement on behalf of the Visa client. Entity that conducts cardholder solicitation, card application processing services and/or customer service activities. Entity that conducts ATM solicitation to merchant locations and/or deploy and/or service qualified ATMs. A qualified ATM is an ATM owned by or sponsored by a valid Visa or Plus client. ISO-Prepaid (ISO PP) Independent Sales Organization Prepaid. Entity that solicits other entities (i.e. merchants, corporate clients, government entities, other businesses etc.) to sell, activate or load prepaid cards on behalf of an issuer. Prepaid card sales and/or activation is a primary function of their business. Prepaid program managers Contract with Issuer; design and run the program including customer service support.

4 ISO-High Risk (ISO- HR) Independent Sales Organization High Risk. Entity that provides merchant solicitation, sales, customer service, merchant transaction solicitation and/or customer training to "high brand risk merchants". PF Payment Facilitator Payment Facilitator is formerly known as Payment Service Provider. A Payment Facilitator is a third party agent that can 1) sign a merchant agreement on behalf of an acquirer, and 2) receive settlement funds from an acquirer on behalf of a sponsored merchant. - Contracts with an acquirer to provide Visa payment services to sponsored merchants - Solicit sponsored merchant for Visa acceptance - Contracts with sponsored merchants to enable Visa payment acceptance - Monitors compliance of sponsored merchant activity in accordance with Visa Rules - Receives settlement of transaction proceeds from the acquirer; and then provide settlement to the sponsored merchant - Must be located within the acquirer s jurisdiction. - Cannot be listed on the Terminated Merchant File (TMF), or similar files - Cannot act as a sponsor for another Payment Facilitator - Excluded merchant types (but may be signed under direct acquiring agreements): Internet pharmacies, Internet pharmacy referral sites, and outbound telemarketers Includes all commerce type aggregation, including face-to-face in addition to e-commerce merchant aggregation. Payment Facilitators may have access to cardholder data (CHD) or the cardholder data environment (CHE). HRIPF High-Risk Internet Payment Facilitator A High Risk Internet Payment Facilitator (HRIPF) is an entity that contracts with the acquirer to provide payment services to high risk merchants, high brand risk merchant, high risk sponsored merchants or high brand risk sponsored merchants and signs one or more merchants belonging to high brand risk merchant category codes, as defined in the Visa Rules.

5 TPS Third Party Servicer Entity that contracts with a Visa client and stores, processes, or transmits Visa account numbers From a Third Party Agent (entity not defined as a VisaNet Processor) perspective, agent must be registered as a TPS. Example of Visa account numbers: PAN, CVV. Scope of services includes- Payment processing: Transaction processing (authorization and clearing and settlement messages, batch transmissions and data capture), virtual card processing (*Not via VisaNet) Value added services: Chargeback/exception processing, secure password delivery, fraud control, fraud verification services, cardholder accounting, statement processing, remittance processing, data warehousing capture, customer service, risk reporting/service, loyalty programs, rewards programs, interactive voice recognition, skip tracing services. Datacenter hosting: Access to the customer s logical space used to store their payment processing system and may provider of additional services such helping their customer maintain the server, and provide power, fire suppression, cameras, biometric scans, physical security. Secure storage facilities: Secure back-up, storage or destruction of electronic and physical media for financial institutions, companies or service providers that have CHD assets but do not electronically store, process or transmit card data. Managed services: Provides services within a third party s CDE, where the managed service provider has access to any cardholder data. Managed services providers usually manage the compliance obligations on behalf of clients for specific requirements within the PCI DSS: application, system management, operations, network management and may perform day-today application, system management, operations with access to cardholder data. Monitoring services: For critical security alerts - Intrusion Detection Systems (IDS), anti-virus, change-detection, compliance monitoring, audit-log monitoring, etc. Network service provider: Cloud & Infrastructure services: network, server, and endpoint management & monitoring. Managed firewall/router provider: Firewall management, migration, monitoring. Statement printing Call center provider: Call centers accessing CHD Token service providers: Transform cardholder data with tokenization or encryption. Corporate T&E charge reporting: Billing, expense reporting, and loyalty/rewards for corporate card issuers Acquirer token service providers: Tokenization solution provider that has overall responsibility for the design and implementation of a specific tokenization solution, and (directly or indirectly through outsourcing) manages tokenization solutions for its customers and/or manages corresponding responsibilities. May manage tokens for merchants and acquirers. Includes Token as a Service (TaaS) providers and token requestor entities.

6 POS services: Deploys and or services POS terminals/atms. Service may include performing maintenance, installation, software or hardware upgrades, replacing POS terminals/atms and accessing the CDE and CHD (remote or physical) but no access to PIN data. Software as a Service (SaaS): Hosting provider that allows customers to use the provider s apps running on provider s cloud infrastructure (hosting of servers, storage, and network components). Platform as a Service (PaaS): Hosting provider where customer deploys consumer-created or acquired applications onto provider s cloud infrastructure (hosting of purchased applications). Infrastructure as a Service (IaaS): Hosting provider that allows the customer to deploy and control its own software on provider s cloud infrastructure (Infrastructure as a Service - cloud infrastructure hosting of proprietary applications. TPS-PIN Third Party Servicer PIN (PIN Security). Entity that contracts with a Visa client and stores, processes, or transmits Visa PIN transactions From a Third Party Agent (entity not defined as a VisaNet Processor) perspective, agent must be registered as a TPS-PIN. Example of Visa PIN transactions: PIN Data from ATM transactions, PIN@POS terminals. ESO Encryption Support Organization (PIN Security). Entity that performs cryptographic key management services to support clients' ATM programs or to deploy Point of Sale PIN Entry Devices (POS PEDs) or PIN pads. ATM and PIN Pad manufacturers that manage various cryptographic key management responsibilities for clients are also considered ESOs. Entities using vendor supplied Remote Key Distribution techniques must ensure that such vendors are registered with Visa as ESOs. An ESO maintains a business relationship with a client that includes: Loading or injecting encryption keys into ATMS, terminals or PIN Pads Loading software into a terminal or ATM which will accept Visa branded cards Merchant help desk support, including re-programming of terminal software

7 MS Merchant Servicer A merchant servicer is a type of third party agent that stores, processes or transmits Visa account numbers on behalf of a client's merchant with which they have a contract. Entity may be contracted by the merchant directly, not with the merchant s acquirer to provide specific merchant payment services that includes Payment Gateways and online shopping cart Payment processing: Transaction processing (authorization and clearing and settlement messages, batch transmissions and data capture), virtual card processing. Qualified Integrator & Reseller*: Sell, install, and/or service payment applications on behalf of software vendors or others. Integrator services may include: servicing the payment applications (for example, troubleshooting, delivering remote updates, and providing remote support). Technology Solution Integrators Provides SaaS (host the software in the cloud or installs applications directly on the server) for a merchant. The integrator's technology is configured to a gateway's system. POS Integrators - integrates POS devices/systems and may have remote access for ongoing support. Value added services: Chargeback/exception processing, secure password delivery, fraud control, fraud verification services, cardholder accounting, statement processing, remittance processing, data warehousing capture, customer service, risk reporting/service, loyalty programs, rewards programs, interactive voice recognition, skip tracing services. Datacenter hosting: Access to the customer s logical space used to store their payment processing system or provider of additional services such helping their customer maintain the server, and provide power, fire suppression, cameras, biometric scans, physical security. Secure storage facilities: Secure back-up, storage or destruction of electronic and physical media for financial institutions, companies or service providers that have CHD assets but do not electronically store, process or transmit card data. Managed services: Provides services within a third party s CDE, where the managed service provider has access to any cardholder data. Managed services providers usually manage the compliance obligations on behalf of clients for specific requirements within the PCI DSS: application, system management, operations, network management and may perform day-today application, system management, operations with access to cardholder data. Monitoring services: For critical security alerts - Intrusion Detection Systems (IDS), anti-virus, change-detection, compliance monitoring, audit-log monitoring, etc. Network service provider: Cloud & Infrastructure services: network, server, and endpoint management & monitoring. Managed firewall/router provider: Firewall management, migration, monitoring. Statement printing Call center provider: Call centers accessing CHD

8 Token service providers: Transform cardholder data with tokenization or encryption. Corporate T&E charge reporting: Billing, expense reporting, and loyalty/rewards for corporate card issuers Acquirer token service providers: Tokenization solution provider that has overall responsibility for the design and implementation of a specific tokenization solution, and (directly or indirectly through outsourcing) manages tokenization solutions for its customers and/or manages corresponding responsibilities. May manage tokens for merchants and acquirers. Includes Token as a Service (TaaS) providers and token requestor entities. POS services: Deploys and or services POS terminals/atms. Service may include performing maintenance, installation, software or hardware upgrades, and replacement for POS terminals/atms and has access to the CDE and CHD (remote or physical) but no access to PIN data. Software as a Service (SaaS): Hosting provider that allows customers to use the provider s apps running on provider s cloud infrastructure (hosting of servers, storage, and network components). Platform as a Service (PaaS): Hosting provider where customer deploys consumer-created or acquired applications onto provider s cloud infrastructure (hosting of purchased applications). Infrastructure as a Service (IaaS): Hosting provider that allows the customer to deploy and control its own software on provider s cloud infrastructure (Infrastructure as a Service - cloud infrastructure hosting of proprietary applications. *QIR can be recognized as a type of service provider on the Visa Global Registry of Service Providers if they self-identify through the Merchant Servicer Self-Identification Program. DCC Dynamic Currency Conversion Entity that contracts with a Visa client to provide currency conversion services to sponsored merchants at checkout. (i.e. conversion of transaction cost to local currency when making payment in a foreign currency) For more info: DCCcompliance@visa.com CFS Corporate Franchise Servicers Entity that provide, manage or control an environment/connectivity to franchisees that may or may not host or provide payment card payment services (payment applications, inventory management systems, etc.).

9 The CFS is a corporate entity or franchisor that provides, manages or controls a centralized or hosted network environment irrespective of whether Visa cardholder data is being stored, transmitted or processed through it. Although it may or may not host or provide card payment services, more importantly, the insecurity of the shared network can affect an independent location or franchisee and that of its own cardholder data environment if accessed by unauthorized parties. Typically, managed services are provided to the franchisees such as property management systems, inventory control systems, menu distribution systems, etc. CFSs are not directly connected to VisaNet. DCV Distribution Channel Vendor Entity that is responsible for packaging, storing and shipping of non-personalized Visa products (e.g. warehouses, wholesalers, logistics companies). ICPIA Instant Card Personalization Issuance Agent Instant Card Personalization and Issuance refers to the ability to instantly personalize Visa cards as the customer waits or to respond immediately to the request for an emergency replacement of a cardholder's lost or stolen card. Entity has a direct contractual relationship with the Visa client and performs instant card personalization and issuance for the issuer, generally a retailer or kiosk location. ACS Service Provider Access Control Server Service Provider Visa-approved entity operating the Enrollment Server and/or Access Control Server for providing 3-D Secure services (Verified by Visa) to Visa issuers.

10 General Information (FAQs) Direct Contract with Bank Solicitation CHD/Transaction Processing for Bank Direct Contract with Merchant CHD/Transaction Processing for Merchant Settlement To Merchant PCI DSS requirement (AOC for Level 1-SP) (SAQ-D for Level 2- SP) ISO- Merchant (ISO- M) Y Y Merchant Servicer (MS) - Y/N - Y Y - Y Third Party Servicer (TPS) Y - Y Y Payment Facilitator (PF) Y Y/N Y Y Y Y Y How do I register a Third Party Agent? Visa clients must use the Visa Membership Management (VMM) to register third party agents. VMM is an online tool that allows clients to register and maintain third party agents. To use VMM, clients must first be enrolled on Visa Online (VOL). To enroll for VOL go to Once VOL enrollment has been approved the client must request access to VMM. Search for Visa Membership Management on VOL and accesses the VMM link. If the client has never accessed VMM before they will be prompted to register as a new user of VMM. (Please select Officer ) Ensure due diligence has been completed. Understand the agent type prior to registration. Have all applicable documentation (PCI DSS, DBA filing) ready for upload in VMM as part of initial registration.

11 How do I register a VisaNet Processor/ACS Processor? Registration relating to VisaNet services and 3-D secure Verified by Visa (ACS issuing) is also via Visa Membership Management (VMM). Please reference the VMM guide for additional steps to register VisaNet Processor and ACS Processor. Is registration required for software providers? No. Point-of-Sale (POS) software providers that only sell the payment application and do not store, process or transmit Visa cardholder data are not required to register. The Payment Application Data Security Standard (PA-DSS) is available to ensure the secure development of these applications. Details on payment applications are available at Is registration required if a Visa client owns at least 25% of an agent? Third party agents are exempt from the registration requirements specified in Third Party Registration Requirements and the associated fees if it (1) only provides services on behalf of its affiliates (including parents and subsidiaries); and (2) those affiliates are clients that own and control at least 25% of the Third Party Agent. Is registration required for sub-isos? ISO registration is required for any entity that solicits on behalf of a Visa client. An ISO is any entity that solicits merchant or cardholder accounts, discuss pricing, fees or rates, processes merchant or cardholder accounts, discusses terms and agreements, manages and /or drafts contracts, submits contracts to the acquirer or issuer (their registering client bank). A registered ISO may use referral entities or sales representatives to solicit on their behalf; however, those entities may only solicit and market in the name of the registered ISO. Acquirers must not process applications from any entity that they have not registered as an ISO with Visa. Registration is not required for referral entities or sales representatives that solicit in the name of the registered ISO. Referral entities or sales representatives who market in their own name may only generate leads to registered ISOs and may not provide ISO services such as direct solicitation of merchant or cardholder accounts, discuss pricing, fees or rates, process merchant or cardholder accounts, discuss terms and agreements, manages / draft contracts, submit contracts to an acquirer or issuer. Are there new registration requirements for Payment Facilitators? Yes. The Payment Facilitator name that appears in conjunction with the sponsored merchant name on transaction receipts and billing statements, the BIN used, and the location of the Payment Facilitator must be included in the comments section of the VMM registration case. Note: Reference the Merchant Data Manual (MDM) for Merchant Name Description formatting requirements for Payment Facilitators.

12 What is the difference between a Payment Facilitator and other service providers that process Visa transactions? Payment Facilitators contract with an acquirer to provide any of the following services: Solicitation, onboarding, and sponsoring of merchants (directly sign merchant agreements for sponsored merchant with under $100k annual Visa volume) Aggregate transactions for sponsored merchants Store, process, or transmit Visa cardholder data Provide other payment related services including card acceptance, card processing, and settle funds directly with sponsored merchants. Other third party agents such as MS and TPS entities do not provide solicitation activities, sponsor merchants directly or settle directly; the acquirer settles with their merchant directly through their unique merchant IDs. What types of agents require PCI DSS compliance? Any agent that provides managed services and/or stores, processes or transmits Visa cardholder data must validate PCI DSS compliance at the time of registration or provide proof that the agent is the process of validating compliance with a reasonable target completion date. PCI DSS compliance validation with Visa is required every 12 months thereafter. The fine assessed to clients for using a non compliant starts at $10,000 USD per agent. Agent that performs one or more services reviewed in the PCI DSS assessment fall into one of the following agent types and requires PCI DSS compliance validation: Third Party Servicer (TPS), Merchant Servicer (MS), Corporate Franchise Servicer (CFS), Payment Facilitator (PF), High Brand Risk Internet Payment Facilitator (HBRIPF), Dynamic Currency Conversion (DCC). Are there different PCI DSS validation requirements for each Service Provider Level? Yes. Agents fall into two levels based on the volume of Visa transactions stored, processed or transmitted annually. There are different validation requirements for each level:

13 How often does Visa require PCI DSS compliance validation? Any agent that stores, processes or transmits Visa cardholder data must perform the PCI DSS compliance review every 12 months. If Visa does not receive the appropriate revalidation documents, the agent s listing on the Registry changes as follows: 1-60 days overdue, the service provider is highlighted in Yellow on the Registry days overdue, the service provider is highlighted in Red on the Registry After 91 days overdue, the service provider is removed from the Registry How do I update information? agents@visa.com to update agent information. Please attach the legal registration certificate of company name for change of legal name/address. Registered agents are required to notify their Visa client of any changes to information such as: Legal Name / Business Aliases (DBAs, Alternate Names) Legal Address Company Primary Contact Types of services offered Number of Visa transactions processed annually Compliance status (where applicable) Mergers and Acquisitions Financial solvency