Agent Registration Program Guide (For use in Asia Pacific, Central Europe, Middle East, Africa) Version 1 April 2014
Contents 1 INTRODUCTION... 3 1.1 ABOUT THIS GUIDE... 3 1.2 WHO NEEDS TO BE REGISTERED?... 4 1.3 WHY IS IT NECESSARY TO REGISTER THE AGENT?... 5 1.4 IMPLICATIONS FOR VISA CLIENT BANKS... 5 2 REGISTRATION PROCESS... 6 2.1 REGISTRATION PROCESS... 6 2.2 WHEN TO REGISTER?... 6 2.3 HOW TO ACCESS THE VMM SYSTEM?... 7 3 REGISTRATION FEES... 8 4 REGISTRATION NON-COMPLIANCE... 9 5 OTHER COMPLIANCE REQUIREMENTS... 10 5.1 VISA COMPLIANCE PROGRAMS... 10 6 FREQUENTLY ASKED QUESTIONS... 11 7 REFERENCES... 14 7.1 VISA GLOBAL REGISTRY OF SERVICE PROVIDER WEBSITE... 14 7.2 FOR GLOBAL VISA ONLINE ACCESS APPLICATION... 14 7.3 FOR PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI DSS)... 14 7.4 VISA RISK MANAGEMENT WEBSITE... 14 7.5 EMAIL CONTACT... 14 GLOSSARY... 15 Visa Public 2
1 Introduction 1.1 About This Guide Agents can be an effective resource for Visa clients to use when managing their acquiring and issuing programs. This document explains the Agent registration requirements for Visa clients and their agents. The Agent Registration Program is a Visa-mandated program enacted to ensure that Visa clients are in compliance with Visa International Operating Regulations ( VIOR ) and policies regarding their use of Agents. Visa clients are required to perform due diligence reviews to ensure that they understand the Agent s business model, financial conditions, background and Payment Card Industry Data Security Standard (PCI DSS) compliance status (where applicable). Visa s Agent registration program is intended to help the clients and agents: understand their accountabilities and responsibilities to the Visa payment system; ensure their compliance with the Visa International Operating Regulations (VIOR) and regional operating regulation. These guidelines for Agent Registration should serve as a reference for Visa clients and agents when outsourcing Visa payment-related services to Agents within and outside the Asia-Pacific (AP) and Central Europe, Middle East, Africa (CEMEA) regions. Agent registration is required for all entities that provide Visa payment-related services, directly or indirectly, to a Visa client (or on behalf of their merchants). Information contained in the latest version of this guide will replace previous versions. The guide is intended for use by Visa clients. Visa Public 3
1.2 Who needs to be registered? Generally, an Agent is an entity engaged to provide Visa payment-related services, directly or indirectly, to a Visa client. An Agent can be a VisaNet Processor (VNP), Third Party, or both. A VisaNet Processor (VNP) is a Visa client or Visa-approved non-visa client that is directly connected to VisaNet and provides Authorization, Clearing, Settlement, or payment-related processing services for merchants or other Visa clients. A Third Party Agent (TPA) is an entity, not defined as a VisaNet Processor, that provides payment-related services, directly or indirectly, to a Visa client and/or stores, transmits, or processes cardholder data. Third parties include: Independent Sales Organization (ISO) Encryption Support Organization (ESO) Third Party Servicer (TPS) Third Party Servicer PIN (TPS-PIN) Merchant Servicer (MS) Corporate Franchise Servicer (CFS) Payment Facilitator (PF) High Risk Internet Payment Service Provider (HRIPSP) Distribution Channel Vendor (DCV) Instant Card Personalization Issuance Agent (ICPIA) Dynamic Currency Conversion (DCC) 3-D Secure Access Control Server (ACS) A TPA does not include: Exemption: Co-brand partners Vendors listed on the list of Visa Approved Vendors (available from Visa Online) A TPA is exempted from the registration requirement and any associated fees if it provides services only on behalf of its affiliates (includes parents and subsidiaries) and those affiliates are Visa clients that own and control at least 25 percent of the TPA. Visa Public 4
1.3 Why is it necessary to register the agent? Compliance with VIOR Under the Visa International Operating Regulations (VIOR), the Visa client has an obligation to register agents with Visa. Agent Relationship The Agent Registration database provides Visa and Visa clients with records of agent relationships. This will help ensure that any obligations and liabilities as required by the VIOR relating to activities performed by the agents are recognized and are clearly associated to a Visa client. Risk Controls and Brand Protection It is the client s responsibility and liability to monitor the practices of its agents. Visa clients are responsible that their agents comply with the relevant standards and requirements, as specified in the VIOR and in the Third Party Agent Due Diligence Risk Standards (a copy can be downloaded from the TPA website). This reduces the risk to Visa, Visa clients, and Visa cardholders from brand damage and financial losses due to agent compromises, operational errors, contractual issues, or other non-compliance with VIOR. 1.4 Implications for Visa Client Banks Visa client banks must ensure that their agents are PCI DSS compliant and adhere to all Visa operating rules. If their agents have directly registered with Visa under the program, Visa will collect the annual PCI DSS attestations directly from the agents. For agents that have not registered directly with Visa, Visa clients will have to submit to Visa the required attestation documents on their behalf. Issuers and acquirers also remain responsible to perform due diligence prior to engaging any agent and execute a written contract with each agent that performs cardholder or merchant solicitations and/or stores, processes, or transmit cardholder or transaction data on behalf of the bank. If the agent is contracted by the acquirers merchant, the acquirer remains responsible to conduct the appropriate due diligence and ensure that the merchant and their agents comply with the relevant Visa and industry requirements. Visa Public 5
2 Registration Process 2.1 Registration Process A Visa client using a VisaNet Processor or Third Party Agent must: Step 1: Step 2: Complete due diligence of the VisaNet Processor or Third Party Agent Register the agent via the Visa Membership Management (VMM) system, a web-based workflow tool, which will replace the paper-based agent registration process, including the Exhibit 5E form. Client will receive an automated acknowledgement email once the registration is completed. Visa s acknowledgement of the registration does not imply that Visa approves or endorses the relationship with the agent, or that the agent complies with Visa requirements. Acceptance or rejection of any application shall be in Visa s sole discretion. Visa reserves the right to reject any application for any or no reason. 2.2 When to register? BEFORE: Visa clients are required to properly register their VisaNet Processor or Third Party Agent with Visa before the entity provides Visa paymentrelated services for the client. AFTER: Visa clients are required to notify Visa when: Designating additional services for the agent. Terminating the contract with the agent Change of status of the agent, e.g. Change of Ownership and Name of entity (due to acquisition, merger, etc.) Change of Address (due to relocation, addition or closure of additional site within the same country) Visa Public 6
Change of Visa payment-related services Visa clients are required to notify Visa of any change of status within 5 business days of the change. 2.3 How to access the VMM System? Visa client must first be enrolled with a Visa Online (VOL) Login ID Visit the following link for access to Global Visa Online: o www.visaonline.com You will need to register as a user of VMM as a Submitter or an Officer: o o Submitter an employee of the institution that generally is not an Officer. A Submitter is granted access in the system, to create (but not approve) cases in the system. The submitter submits the case to the Officer for approval before it is forwarded to Visa. Officer an employee of the institution who is granted access in the system, to submit and approve changes, additions and terminations. Generally, the Officer is the one who will forward the case to Visa. Every institution must designate at least one Officer. The submitter role is not compulsory. Visa Public 7
3 Registration Fees Effective 1 July 2013, Visa clients will be billed a registration fee for agents who prior to 1 July 2013, are not registered with Visa. Effective 1 July 2014, Visa clients will be billed an annual renewal fee. The chart below demonstrates the fees by TPA type: TPA Type Fees ISO/PF/HRIPSP $5,000 ESO/TPS/DCC/MS and all other TPAs $500 Clients in Japan and Korea will not be affected by this pricing. For listing of third party agents in Japan and Korea, contact agents@visa.com. Visa will bill Principal clients for third party agents registered by the credit unions, associate members or any other underlying financial institutions they sponsored. Visa Public 8
4 Registration Non-Compliance A Visa client may be subjected to fines starting at US$10,000 for the first violation in the following situations: Using a Third Party Agent or VisaNet Processor that has not been registered Using a Third Party Agent or VisaNet Processor that fails to comply with the VIOR. The schedule of fines is specified in the VIOR. Visa Public 9
5 Other Compliance Requirements 5.1 Visa Compliance Programs Depending on the Visa payment-related services the agent provides, Visa may require the agent to comply with one or more of Visa s compliance programs. The table below outlines the applicable Visa program and compliance standards per payment-related service. The compliance standards can be downloaded from Global Visa Online. Payment-related Service Process Verified by Visa passwords Any Agent that that stores, processes and/or transmits: - Visa Account Numbers - CVV, CVV2, icvv2 - Other cardholder data Processes PINs for Visa Transactions Instant Card Issuance personalization Warehousing, packaging, distribution of prepaid cards (Distribution Channel Vendors) Visa Program Compliance Access Control Server (ACS) Account Information Security Program (AIS) PIN Security Program Instant Card Issuance Program (ICIP) Approved Vendor Program (optional) 1 Applicable Security Standards PCI Data Security Standards 3-D Secure Security Requirements - Enrollment and Access Control Servers PCI Data Security Standards PCI PIN Security Standards Visa Global Instant Card Personalization Issuance Security Standards Visa Global Physical Security Validation Requirements for Data Preparation, Encryption Support and Fulfillment Card Vendors After registration, a Visa program manager will contact the Visa client to discuss compliance validation of the Agent. The Visa client is expected to complete the necessary due diligence of the Agent to ensure the Agent complies with the VIOR and the applicable security standards prior to Agent registration with Visa. 1 It is up to the Visa client and the Agent if they want the Agent to be enrolled and reviewed annually via the Visa Approved Vendor Program. Approved Vendor Program participation is not mandatory. Visa Public 10
6 Frequently Asked Questions Q: What is the Agent Registration Program? A: The Agent Registration Program is a Visa-mandated program enacted to ensure that Visa clients are in compliance with Visa Inc. Operating Regulations ( Visa rules ) and policies regarding their use of Agents. Q: What is a Third Party Agent or TPA? A: A Third Party Agent (also referred to as TPA ) is an entity, not directly connected to VisaNet, that provides payment-related services, directly or indirectly, to a Visa client (or their merchants) and/or stores, processes or transmits Visa account numbers. TPAs perform multiple functions on the issuing and acquiring side of a Visa client s business. Each function performed by the TPA must be registered by each Visa client that is utilizing those services. TPA functions that require registration are listed under item 1.3 of this guideline. Depending on the function the TPA performs, the TPA may be required to be approved under one or many of Visa s compliance programs. Visa clients will be notified by the individual program owner for further follow-up. Q: Why do I need to register agents? A: Visa wants to ensure that clients attest to having completed the required due diligence reviews, and that they are engaged with agents in a manner that is compliant with the VIOR. Q: Who needs to be registered? A: Agent registration is required for all entities performing solicitation activities and/or storing, processing or transmitting Visa account numbers for Visa clients (or on behalf of their merchants). Clients must register all agents regardless of whether the agent has registered directly with Visa via the Visa Global Registry of Service Provider program. Visa client may be assessed a fine per Agent for not registering an Agent. Q: Who can register agents? A: Only Visa clients can register agents (including any agents their merchants are utilizing). Visa Public 11
Q: How does a Visa client register an agent? A: Effective January 2012, Visa clients can register their agents via the VMM system, a web-based workflow tool, which will replace the current paper-based agent registration process, including the Exhibit 5E form. Q: How do I access VMM? A: 1. You must first be enrolled with a Visa Online (VOL) login ID. 2. Click the following link for access to Global Visa Online: o www.visaonline.com 3. You will need to register as a user of VMM as a Submitter or an Officer: o o Submitter an employee of the institution that generally is not an Officer. A Submitter is granted access in the system, to create (but not approve) cases in the system. The submitter submits the case to the Officer for approval before it is forwarded to Visa. Officer an employee of the institution who is granted access in the system, to submit and approve changes, additions and terminations. Generally, the Officer is the one who will forward the case to Visa. Every institution must designate at least one Officer. The submitter role is not compulsory. Q: Can I continue to use the current paper-based registration process, including the Exhibit 5E form? A: All clients are required to register agents using VMM. Registration request submitted using the Exhibit 5E form will be rejected, and clients will need to resubmit their registration using VMM. There is an exception for clients using another client VisaNet Processor acting as service provider to continue use of Exhibit 5E form to register the relationship. Q: How do I know my registration is accepted? A: Upon completion of the registration, a confirmation letter will arrive via email to the Officer of the institution. Visa Public 12
Q: What is the Visa client s responsibility in relation to agents? A: Visa clients are responsible for their agents; therefore, a Visa client must perform its own due diligence and weigh the operational and financial risks of utilizing the Agent. Visa clients are responsible for ensuring that their agents comply with PCI DSS (where applicable) and Visa International Operating Regulations. Visa clients may be subject to fines and penalties for any agent found to be out of compliance with the PCI DSS or VIOR. Q: Prior to registering an agent, what due diligence must a Visa client perform? A: Visa provides a minimum due diligence standard that all Visa clients must perform prior to registering an agent. Visa s minimum standard includes basic background, financial and operational reviews. However, each Visa client is encouraged to increase the scope of review based on the agent business type, services performed, relative program risk, Visa account data held or processed and the individual Visa client s internal risk appetite and requirements. Q: Can a Visa client register an agent before the agent validates PCI DSS compliance? A: Yes, if the Visa client registers an agent prior to the agent validating compliance, the Agent must be contracted with an approved Qualified Security Assessor (QSA), or commit to completing a Self-Assessment Questionnaire (SAQ) and have an expected date of compliance. A list of QSAs can be found at https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf. Q: What does an agent have to do to get registered? A: To start the registration process, agents should contact their contracted Visa client. If the agent has a contract with a Visa client s merchant, the agent can pursue two avenues: 1) they can directly contact the merchant s Visa client (usually identified by asking the merchant for their acquiring/merchant bank contact information); or 2) Visa can facilitate the registration by contacting the merchant s Visa client on behalf of the agent. Also, the agent has the option to be listed in the Visa Global Registry of Service Providers if they are PCI DSS compliant and registered by at least one Visa client. The Registry is a listing of agents that provide payment-related services to Visa client banks and the merchants. It serves as a source of reference for Visa client banks and merchants when selecting agents for outsourcing Visa payment-related services. For more information, please visit http://www.visa.com/splisting/ Visa Public 13
7 References 7.1 Visa Global Registry of Service Provider Website www.visa.com/splisting 7.2 For Global Visa Online access application www.visaonline.com 7.3 For Payment Card Industry Data Security Standards (PCI DSS) http://www.visa.com/splisting/ 7.4 Visa Risk Management website www.visa.com/staysecureapcemea 7.5 Email Contact For Agent Registration queries, please contact us at agents@visa.com Visa Public 14
Glossary 3-D Secure Access Control Services (ACS) Account Number Acquirer Agent Application processing services ATM/POS terminal deployment services ATM/POS terminal maintenance services ATM transaction Processing services Attestation of Compliance (AOC) Authorization Provider of a software protocol that enables secure processing of Verified by Visa transactions over the Internet and other networks. The 16-digit number that appears on the front of all valid Visa cards. The number is one of the card security features that should be checked by merchants to ensure that a cardpresent transaction is valid. A member that signs a merchant or disburses currency to a Cardholder in a Cash Disbursement, and directly or indirectly enters the resulting Transaction Receipt into Interchange. An entity that acts as a VisaNet Processor (VNP), Third Party, or both. A Third Party that processes applications for Visa cards on behalf of the issuer. A Third Party that installs ATMs or POS terminals. A Third Party that performs maintenance of ATMs or POS terminals, both hardware and software. A Third Party that processes Visa transactions originating through ATMs. This document, which is maintained by the PCI SSC, denotes who the QSA was that completed the ROC and includes the services that are provided by the entity being reviewed. An office of the entity being reviewed signs this to confirm the accuracy of the ROC. A process where an issuer, a VisaNet Processor, or Stand- In Processing approves a Transaction. This includes: Domestic Authorization International Authorization Offline Authorization Visa Public 15
Authorization Center Cardholder Data Chargeback/exception item processing services Customer Service Data warehouse/capture services Distribution Channel Vendor Encryption Support Organization (ESO) Independent Sales Organization (ISO) Facilities established by members in-house or by third party processors to respond to merchants or other members requests for authorizations for transactions or cash disbursements. Data encoded in the card magnetic stripe such as cardholder name, card expiry date, CVV, etc. A Third Party that processes transactions that an Issuer returns to an Acquirer. A Third Party that provides support for cardholder or merchant queries. A Third Party that is a data warehouse that stores or processes cardholder data. An entity responsible for packaging, storage and shipping of pre-manufactured, commercially ready Visa Products (e.g. warehouses, wholesalers, card packagers, logistic companies). Pre-manufactured, commercially ready refers to non-personalized Visa products that have already been manufactured, encoded, and embossed/printed and are ready for sale or distribution to Cardholders. An entity that maintains a business relationship with a Plus/Interlink client that includes: Loading or injecting encryption keys into ATMs, terminals or PIN Pads and kiosks. Loading software into a terminal or ATM which will accept Visa branded cards. Merchant help desk support, including reprogramming of terminal software. Entities using vendor supplied Remote Key Distribution techniques must ensure that such vendors are registered with Visa as ESOs. An organization that has a direct relationship with issuing and/or acquiring clients. Clients contract with ISOs to provide specific services such as merchant solicitation, cardholder solicitation, customer service and card application processing ISOs act on behalf of Visa clients to deploy and/or service qualified ATMs, solicits other entities Visa Public 16
(i.e. merchant, corporate members, government entities etc.) to sell, activate or load prepaid cards. Issuer Instant Card Personalization A member that issues Visa Cards, Visa Electron Cards, or Proprietary Cards bearing the Plus Symbol, and whose name appears on the Card as the issuer (or, for Cards that do not identify the issuer, the member that enters into the contractual relationship with the Cardholder). The ability to instantly personalize Visa cards as the customer waits or to respond immediately to the request for an emergency replacement of a cardholder s lost or stolen card. Instant Card Issuance services Key management Loyalty program management A Third Party that performs instant card personalization and issuance for the issuer. The generation, transmission, storage, loading, safeguarding, use, and replacement of keys in a cryptography system. A Third Party that provides management services for a Visa Clients loyalty program and has access to cardholder data. Mail Order/ Telephone Order Merchant (MO/TO) Managed Services Merchant Merchant Agreement Business where the primary or a major source of income comes from merchandise or services sold by mail to telephone. Such transactions are frequently charged to customers payment card accounts. Services that are provided or facilitated by the CFS agent over centralized or hosted network environments to the franchisees such as property management systems, inventory control systems, menu distribution systems, etc A principal or entity entering into a card acceptance agreement with a Visa member financial institution. A contract between a merchant and an acquirer containing their respective rights, duties, and obligations for participation in the acquirer s Visa or Visa Electron Program. Visa Public 17
Merchant Servicer (MS) Merchant Training Services Payment Gateway Payment Facilitator (previously known as Payment Service Provider) An organization that stores, processes, or transmits Visa account numbers on behalf of the member s merchant. A Merchant Servicer has a contract with a client s merchant (although not necessarily with the client) and provides specific merchant services (e.g. online shopping carts, payment gateways, hosting facilities, data storage, and authorization and/or clearing and settlement messages). A Third Party who provides terminal, fraud, or card acceptance training for merchants. A system that provides electronic commerce services to merchants for the Authorization and Clearing of Electronic Commerce Transactions. An entity that stores, processes or transmits cardholder data and contracts with an Acquirer to provide payment services to a Sponsored Merchant. Includes all commerce type aggregation, including face-toface in addition to e-commerce merchant aggregation. Personal Identification Number (PIN) PIN transaction processing at POS Terminal Prepaid Card Prepaid solicitation, sales, activation, and/or loading Remittance Processing Risk reporting/control services Settlement A personal identification alpha or numeric code that identifies a cardholder in an Authorization Request originating at a terminal with Authorization-Only or Data Capture-Only Capability. A Third Party that processes Visa transactions containing PINs originating from Point-of-Sale (POS) terminals A card used to access funds in a Prepaid Account or a card where monetary value is stored on a Chip. A Third Party that distributes prepaid Visa cards to merchants or end sellers, provides prepaid activation or load services. A Third Party who processes money transfer transactions between one individual to another. A Third Party who provides transaction screening to identify risks or fraudulent transactions and has access to cardholder data. The reporting and transfer of Settlement Amounts owed by Visa Public 18
one Client to another, or to Visa, as a result of Clearing. Statement Processing and/or printing A Third Party who processes cardholder data for the purposes of printing cardholder statements or actually prints the statements. Solicitation A Third Party that solicits for new cardholders or merchants. Switching A Third Party that processes Visa transactions and routes the transactions from the merchant to the issuer of the card. Third Party A Third Party is a non-visa client that is not directly connected to VisaNet and provides payment-related services, directly or indirectly, to a Visa client. V.I.P. System VisaNet Integrated Payment System. The Online processing component of VisaNet. Visa Client An organization which is a client of Visa and which issues cards and/or signs merchants. VisaNet The systems and services, including the V.I.P. System, Visa Authorization, European Customized Services, and BASE II, through which Visa delivers Online Financial Processing, Authorization, Clearing, and Settlement services to members. VisaNet Processor (VNP) An entity that is directly connected to VisaNet and provides authorization, clearing, or settlement services to merchants and/or clients. Visa Public 19