BAMS Third Party Service Prviders (TPSPs) FAQs 1) What is the Third Party Service Prvider (TPSP) Agent Registratin Prgram? The TPSP Agent Registratin Prgram is a Card Brand (Visa USA Inc and MasterCard Internatinal)-mandated prgram enacted t ensure that all Member Banks such as Bank f America are in cmpliance with Card Brand Regulatins and plicies regarding their use f TPSPs. All Member Banks are required t perfrm due diligence reviews t ensure that they understand the TPSP s business mdel, financial cnditins, backgrund and Payment Card Industry Data Security Standard (PCI DSS) cmpliance status. TPSP Agent registratin is required fr all entities perfrming slicitatin activities and / r string, prcessing r transmitting cardhlder data n behalf f Member Banks (r n behalf f their merchants). Card Brand registratin and annual renewal fees may apply and will be cllected prir t initial registratin. Annual renewal fees are managed and cllected by BAMS. 2) What is a TPSP? A TPSP is any entity, nt cnnected t VisaNet and nt a MasterCard Type I entity, that prvides payment-related services, directly r indirectly, t a Member Bank and/r stres, prcesses r transmits accunt numbers (cardhlder data). TPSPs perfrm multiple functins n the issuing and acquiring side f a Member Bank s business. Types f TPSPs include, but are nt limited t: Gateways fr transactins frm a Merchant lcatin t a Prcessr Prviders f Back Office Supprt (i.e. Custmer Service, Exceptin prcessing fr Acquirer s Merchants) Supprting lyalty prgrams Electrnic Data Capture Fraud servicing, mnitring r scrubbing Credit Underwriting (issuing) Cllectins Vice authrizatin and ruting Call referral prcessing/telemarketing Clearing file preparatins and submissins Settlement prcessing Cardhlder and merchant statement preparatin Chargeback prcessing Merchant help desk supprt if there is access t cardhlder data Lading sftware int a terminal which will accept cards Lading r injecting encryptin keys int terminals r PIN pads 3) TPSP functins that require registratin include, but are nt limited t: Merchant r cardhlder slicitatin activities and / r custmer service Prepaid prgram slicitatin activities and / r custmer service Lading r injecting encryptin keys int ATMs, terminals r PIN pads Lading sftware int an ATM r terminal String, prcessing r transmitting cardhlder data Rev.5/01/2013 1
4) Visa TPSP Definitins: Third Party Servicer (TPS): A type f TPSP that: Has a Direct cntractual relatinship with the Member Is nt a Member f Visa USA & is nt directly cnnected t VisaNet Prvides respnse prcessing fr Visa Members related t prgram slicitatins, transactin prcessing, data capture, and/r ther administrative functins, such as chargeback prcessing, risk/security reprting, and custmer service. Merchant Servicer (MS): A type f TPSP that: Has a Direct cntractual relatinship with a Merchant Is nt a Member f Visa USA and is nt directly cnnected t Visa Net Prvides respnse prcessing fr visa Members related t prgram slicitatins, transactin prcessing, data capture, and/r administrative functins, such as chargeback prcessing, risk/security reprting, and custmer service. Independent Sales Organizatins (ISO): An rganizatin r individual, which is nt a Member, whse bankcard-related business relatinship with a Member invlves any f the fllwing: Merchant r cardhlder slicitatin activities and / r custmer service Prepaid prgram slicitatin activities and / r custmer service Deplying and / r servicing ATMs High Risk Merchant slicitatin, sales, custmer service, merchant transactin slicitatin and/r custmer training fr the fllwing Merchant Categry Cdes (MCC): 5962, 5966, 5967, 7995, 5912, 5122. Encryptin and Supprt Organizatin (ESO): Deplys ATM, POS r kisk PIN acceptance devices that prcess and accept cardhlder PINs and/r manage encryptin keys Payment gateway: Payment gateways are a categry f agent r service prvider that stres, prcesses, and / r transmits cardhlder data as part f a payment transactin. Specifically, they enable payment transactins (e.g., authrizatin r settlement) between merchants and prcessrs (ex. VisaNet endpints). Merchants may send their payment transactins directly t an endpint, r indirectly t a payment gateway. Crprate Franchise Servicers (CFS): Rev.5/01/2013 2
A CFS wns r perates a centralized r hsted netwrk envirnment used by franchisees that can affect the franchisee s cardhlder data envirnment if accessed by unauthrized parties. In sme cases CFS entities als prvide card payment prcessing services t franchisees thrugh these netwrk envirnments. Payment Service Prviders (PSP): Cntracting with Visa member t prvide payment services t spnsred merchants Dynamic Currency Cnversin (DCC): Prviding currency cnversin services t spnsred merchants at checkut. 5) MasterCard TPSP Definitins: Third Party Prcessrs (TPPs) Type II: A type f TPSP that: Perfrms transactin and cardhlder prcessing services fr ne r mre Members (such services are referred t as "TPP" Services) Is nt a Member f MasterCard Internatinal & is nt directly cnnected t MasterCard Prvides Prgram Services including, but are nt limited t, terminal peratin, authrizatin services, including but nt limited t authrizatin ruting, payment gateway and switching services, vice authrizatin, and call referral prcessing, electrnic data capture, clearing file preparatin and submissin, settlement prcessing (excluding pssessin, wnership, r cntrl f settlement funds, which are prhibited), cardhlder and merchant statement preparatin, chargeback prcessing and Mbile Remte Payment Data Strage Entity (DSE): A type f TPSP that: Is an entity ther than a member, merchant, ISO, r TPP that stres, transmits, r prcesses card r transactin data fr r n behalf f a merchant, ISO, r TPP These services include, but are nt limited t, merchant web site hsting and external hsting f payment applicatins, such as web site shpping carts. Third Party Prcessrs (TPPs) Type I: A type f TPSP that: Is a Member Service Prvider (MSP) that perfrms transactin and cardhlder prcessing Prgram Services Is nt a Member f MasterCard Internatinal & is nt directly cnnected t MasterCard Rev.5/01/2013 3
Generally are thse that prvide Prgram Service t a large number f Members r that therwise culd significantly impact the integrity f the Interchange System. Is based n, but nt limited t, the annual number f authrized credit and debit transactins prcessed by the TPP. MasterCard, in its sle discretin, will determine which TPPs t classify as Type I TPPs. Independent Sales Organizatins (ISO): An rganizatin r individual, which is nt a Member, whse bankcard-related business relatinship with a Member invlves any f the fllwing: Merchant slicitatin, sales, r service Merchant Transactin prcessing slicitatin Cardhlder slicitatin r Card applicatin prcessing services 6) Wh can register TPSPs? Only a Visa and/r MasterCard Member Bank can register TPSPs (including any TPSPs their merchants are utilizing). A Member Bank is ultimately liable fr its TPSPs; therefre, a Member Bank must perfrm its wn due diligence and weigh the peratinal and financial risks f utilizing the TPSP. Each Member whse merchants utilize a TPSP must register that TPSP fr the Prgram Services being prvided t their merchant(s). 7) Hw is the TPSP Agent registratin requirement cmmunicated t TPSPs? The TPSP Agent registratin requirement is cmmunicated t Member Banks, VisaNet prcessrs, MasterCard Type I s and TPSPs thrugh industry cnferences, direct cmmunicatins, the Visa PCI website (lcated at www.visa.cm/cisp) and MasterCard SDP website (lcated at www.mastercard.cm/us/sdp/serviceprviders/index.html). 8) Is there a fee fr Member Banks t register TPSPs? Yes. The Visa fee schedule, effective Nvember 2013, is as fllws: Rev.5/01/2013 4
Agent Type Registratin Fee Change Annual Renewal Fee Change (Effective 1 Nvember 2013) (Effective With the 2013 14 Billing Perid) Independent sales rganizatin (ISO)1 $5,000 $5,000 Payment service prvider (PSP) $5,000 $5,000 High-risk Internet payment service prvider (HRIPSP) $5,000 $5,000 ESO $1,000 $1,000 TPS $1,000 $1,000 Dynamic Currency Cnversin (DCC) servicer $1,000 $1,000 MS $1,000 $1,000 1 Includes all ISO types: cardhlder, ATM, prepaid, merchant and high-risk. Each client that registers an ISO, ESO, TPS r MS will be billed the registratin fee and annual renewal fee at the revised rates shwn in the table abve. Billing f the annual renewal fee will mve frm July t Nvember, effective in 2013. The MasterCard fee schedule, effective January 2013,is as fllws: $5,000 fr initial registratin fr TPPs $5,000 annually fr TPPs $0 fr initial & annually fr all DSEs MasterCard bills each Member Bank fr each TPP registratin submitted. MasterCard currently des nt assess registratin r annual renewal fees fr DSE registratins Billing f the annual renewal fee will mve frm Nvember t April, effective in 2014. 9) Prir t registering a TPSP, what due diligence must be perfrmed by a Member Bank? The Card Brands (Visa and MasterCard) prvide a minimum due diligence standard that all Member Banks must perfrm prir t registering a TPSP. The Card Brand s minimum standard includes basic backgrund, financial and peratinal reviews. Additinally, any TPSP that stres, prcesses r transmits cardhlder data must be PCI DSS cmpliant and prvide adequate validatin per their Service Prvider Level. Hwever, each Member Bank is encuraged t increase the scpe f review based n the TPSP business type, services perfrmed, relative prgram risk, accunt data held r prcessed and the individual Member Bank s internal risk appetite and requirements. 10) What des a TPSP have t d t get registered? T start the registratin prcess, TPSPs shuld cntact their cntracted Member Bank. If the TPSP has a cntract with a Member Bank s merchant, they can directly cntact the merchant s Member Bank (usually identified by asking the merchant fr their acquiring / merchant bank cntact infrmatin) Internally, yu can reach ut t the BAMS Third Party Prgrams team t initiate a review and registratin n any new TPSP identified. They can be reached via email at dg.thirdpartyprgrams@bankfamericamerchant.cm. Rev.5/01/2013 5
11) What is the PCI DSS? Custmers ffering their payment card at the pint f sale, ver the Internet, n the phne r thrugh the mail want assurance that their accunt infrmatin is safe. Mandated since 2001, the Visa Cardhlder Infrmatin Security Prgram (CISP) and MasterCard Site Data Prtectin (SDP) Prgrams prtect Visa and MasterCard cardhlder data wherever it resides and ensures that Member Banks, merchants and TPSPs adhere t accepted infrmatin security standards. In 2006, CISP requirements were incrprated and adpted int an industry standard knwn as the Payment Card Industry Data Security Standard (PCI DSS). This standard is nw wned and managed by the PCI Security Standards Cuncil (PCI SSC). The PCI SSC was funded by Visa, MasterCard, JCB, Discver and American Express. Fr detailed infrmatin cncerning PCI DSS cmpliance and questins, please visit www.visa.cm/cisp and www.mastercard.cm/us/sdp/serviceprviders/index.html. 12) Are TPSPs required t be PCI DSS cmpliant? Yes. Any TPSP that stres, prcesses r transmits cardhlder data must validate PCI DSS cmpliance with Visa and MasterCard every 12 mnths. TPSP validatin levels and requirements are addressed belw. 13) Hw des a TPSP validate PCI DSS cmpliance as required by Visa and MasterCard? Depending n Service Prvider Level requirements (see chart belw), a TPSP must validate PCI DSS cmpliance by either cntracting with a QSA t cmplete a Reprt n Cmpliance, ROC r by cmpleting a Self-Assessment Questinnaire (SAQ-D). In additin, all TPSPs, regardless f validatin level, must als cnduct quarterly netwrk scans thrugh an Apprved Scanning Vendr (ASV). Service Prvider Levels Defined Visa CISP Service Levels: Service Prvider Level 1 2** Descriptin Third Party Agent (TPA) that stres, prcesses and/r transmits ver 300,000 Visa transactins per year Third Party Agent (TPA) that stres, prcesses and/r transmits fewer than 300,000 Visa transactins per year ** Effective February 1, 2009, Level 2 Service Prviders are n lnger listed n Visas list f PCI DSS Cmpliant Service Prviders. Entities that wish t be n the Visa list f PCI DSS Cmpliant Service Prviders must validate as a Level 1 prvider. Rev.5/01/2013 6
MasterCard SDP Service Levels: Service Prvider Level 1* 2* Descriptin All TPPs All DSE s that stre, transmit, r prcess greater than 300,000 ttal cmbined MasterCard and Maestr transactins annually Includes all DSE s that stre, transmit, r prcess less than 300,000 ttal cmbined MasterCard and Maestr transactins annually *As f Octber 1, 2010, MasterCard will nly list thse Service Prviders that are als registered and apprved as a Service Prvider and wh have als successfully cmpleted an annual nsite assessment as a Level 1 Service Prvider. Effective January 1, 2013, MasterCard has reclassified gateway and switching Prgram Services frm a DSE, t a TPP and must fllw PCI DSS requirements as a Level 1 Service Prvider, regardless f vlumes. TPSP Cmpliance Validatin Requirements: Level Validatin Actin Required Dcumentatin Validated By 1 Annual On-Site PCI Data Security Assessment Quarterly Netwrk Scan Reprt n Cmpliance (ROC) Attestatin f Cmpliance (AOC) ASV Scan and AOC Qualified Security Assessr (QSA) Apprved Scanning Vendr (ASV) 2 Annual PCI Self- Assessment Questinnaire Quarterly Netwrk Scan SAQ-D Attestatin f Cmpliance (AOC) ASV Scan and AOC Service Prvider Apprved Scanning Vendr (ASV) 14) What is the prcess t submit PCI DSS dcuments t BAMS t validate cmpliance? BAMS will require submissin f an executed Attestatin f Cmpliance (AOC) Frm and the Executive Summary sectin f the Reprt n Cmpliance (ROC) t demnstrate PCI DSS cmpliance as a Level 1 service prvider. Level 2 service prviders will submit a cmpleted SAQ- D and AOC, alng with their mst recent ASV Scan and Scan AOC. BAMS may als require and request the TPSP s cnfirmatin that they, r their QSA, have submitted their PCI DSS validatins t the Card Brands. 15) What is a Member Bank s liability fr a TPSP? Member Banks are respnsible fr ensuring that their TPSPs cmply with PCI DSS and are registered apprpriately. Member Banks may be subject t fines and penalties fr any TPSP Rev.5/01/2013 7
fund t be ut f cmpliance with the PCI DSS and nt registered as per Visa Operating Regulatins r MasterCard Rules. 16) Is registratin required fr all TPSPs? Yes. If a Member Bank, r their merchants, has a relatinship with a TPSP, directly r indirectly, and the TPSP is nt registered by the Member Bank, the Member Bank may be assessed an unregistered agent fine starting at $10,000 per TPSP per Card Brand. 17) Is registratin required fr Pint-f-Sale (POS) sftware prviders? POS sftware prviders that prvide the payment applicatin nly and d nt stre, prcess and / r transmit cardhlder data d nt require registratin. A separate security standard, the Payment Applicatin Data Security Standard (PA-DSS) is available t ensure the secure develpment f these applicatins. Details n payment applicatins are available at www.visa.cm/pabp. 18) What d yu (Sales, Accunt Management and Accunt Barding) need t d when barding a merchant using a Third Party Service Prvider? Prir t submitting an applicatin fr a merchant that is ging t use a Third Party Service Prvider, yu must first check the BAMS Apprved Third Party Service Prvider List t verify that the merchant is requesting a BAMS apprved prvider. If the Third Party Service Prvider is nt listed n the BAMS Apprved Third Party Service Prvider List, prir t barding r submitting yur applicatin, cntact the Third Party Prgrams team fr apprval at dg.thirdpartyprgrams@bankfamericamerchant.cm. Rev.5/01/2013 8