Agent Registration
Program Guidelines
(For use in Asia Pacific, Central Europe, Middle East and Africa)
January 2012
Contents
1
INTRODUCTION .................................................................................................................. 3
1.1
1.2
1.3
1.4
2
BACKGROUND .................................................................................................................... 3
PURPOSE OF DOCUMENT .................................................................................................... 4
W HO NEEDS TO BE REGISTERED?........................................................................................ 5
W HY IS IT NECESSARY TO REGISTER THE AGENT? ................................................................ 8
REGISTRATION PROCESS................................................................................................ 9
2.1
2.2
2.3
REGISTRATION PROCESS.................................................................................................... 9
W HEN TO REGISTER ........................................................................................................... 9
HOW TO ACCESS THE VMM SYSTEM.................................................................................. 10
3
REGISTRATION FEES ...................................................................................................... 11
4
REGISTRATION NON-COMPLIANCE .............................................................................. 12
5
OTHER COMPLIANCE REQUIREMENTS ....................................................................... 13
5.1
VISA PROGRAM COMPLIANCE ........................................................................................... 13
6
FREQUENTLY ASKED QUESTIONS ............................................................................... 14
7
REFERENCES ................................................................................................................... 19
7.1
7.2
7.3
7.4
AGENT W EBSITE .............................................................................................................. 19
THIRD PARTY COMPLIANCE REQUIREMENTS ...................................................................... 19
OTHER PROGRAM LINKS ................................................................................................... 19
EMAIL CONTACT ............................................................................................................... 19
GLOSSARY ................................................................................................................................ 20
Agent Registration
Program Guidelines
1
Introduction
1.1
Background
Agents can be an effective resource for Visa clients to use when
managing their acquiring and issuing programs.
The Agent Registration Program is a Visa-mandated program enacted
to ensure that Visa clients are in compliance with Visa Inc. Operating
Regulations (“VIOR”) and policies regarding their use of Agents. Visa
clients are required to perform due diligence reviews to ensure that
they understand the Agent’s business model, financial conditions,
background and Payment Card Industry Data Security Standard (PCI
DSS) compliance status (where applicable).
Agent registration is required for all entities that provide Visa payment
related services, directly or indirectly, to a Visa client (or on behalf of
their merchants).
January 2012
3
Agent Registration
Program Guidelines
1.2
Purpose of Document
This document explains the Agent registration requirements for Visa
clients and their agents. Visa’s Agent registration program is intended
to help the clients and Agents:
•
•
Understand their accountabilities and responsibilities to the
Visa payment system;
Ensure their compliance with the Visa International Operating
Regulations (VIOR) and regional operating regulation.
These guidelines for Agent registration should serve as a reference for
Visa clients and Agents when outsourcing Visa payment related
services to Agents within and outside the Asia Pacific region.
January 2012
4
Agent Registration
Program Guidelines
1.3
Who needs to be registered?
Generally, an agent is an entity engaged to provide Visa paymentrelated services, directly or indirectly, to a Visa client (or on behalf of
their merchants). An Agent can be a VisaNet Processor (VNP), Third
Party, or both.
A VisaNet Processor (VNP) – is a Visa client or Visa approved nonVisa client that is directly connected to VisaNet and provides
Authorization, Clearing, Settlement, or payment-related processing
services for merchants or other Visa clients.
A Third Party Agent (TPA) is an entity, not defined as a VisaNet
Processor, that provides payment related services, directly or
indirectly, to a Visa client and/or stores, transmits, or processes
cardholder data. The different types of TPAs are:

Independent Sales Organization (ISO)

Merchant or cardholder solicitation activities and/or
customer service

Prepaid program solicitation activities and/or customer
service

Deploying and/or servicing ATMs
High Risk Merchant solicitation, sales, customer
service, merchant transaction solicitation and/or
customer training for the following Merchant Category
Codes (MCC): 5962, 5966, 5967, 7995, 5912, 5122


Encryption Support Organization (ESO)

Deploys ATM, POS or kiosk PIN acceptance devices
that process and accept cardholder PINs

Manages encryption keys
Third Party Servicers (TPS)


Merchant Servicers (MS)

January 2012
Storing, processing or transmitting Visa account
numbers on behalf of Visa clients
Storing, processing or transmitting Visa account
numbers on behalf of Visa clients’ acquired merchants
5
Agent Registration
Program Guidelines

Corporate Franchise Servicers (CFS)


Payment Service Providers (PSP)


Providing currency conversion services to sponsored
merchants at checkout
3-D Secure Access Control Services (ACS)

January 2012
Performs instant card personalization and issuance for
the issuer that is generally a retailer or kiosk location
Dynamic Currency Conversion (DCC)


Packaging, storing and shipping of non-personalized
Visa products (e.g. warehouses, wholesalers, logistics
companies)
Instant Card Personalization Issuance Agent (ICPIA)


Providing services to High Risk Internet Merchants
(MCCs 5962, 5966, 5967, 7995, 5912, 5122) and
stores, processes or transmits cardholder data and
has a direct contract with the client
Distribution Channel Vendors (DCV)


Contracting with Visa client to provide payment
services to sponsored merchants. The term “PSP”
replaces the old terminology “IPSP” which now
includes all commerce type aggregation, including
face-to-face in addition to ecommerce merchant
aggregation.
High Risk IPSPs (HRIPSP)


A CFS owns or operates a centralized or hosted
network environment used by franchisees that can
affect the franchisee’s cardholder data environment if
accessed by unauthorized parties. In some cases
CFS entities also provide card payment processing
services to franchisees through these network
environments.
Providing software protocol that enables secure
processing of Verified by Visa transactions over the
internet and other networks
6
Agent Registration
Program Guidelines
A third party does not include:

Co branding partners

Vendors listed on the list of Visa Approved Card Vendors
(available from Visa Online)
Exemption:

January 2012
A Third Party is exempted from the registration requirement
and any associated fees if it provides services only on behalf
of its affiliates (includes parents and subsidiaries) and those
affiliates are Visa clients that own and control at least 25
percent of the third party agent.
7
Agent Registration
Program Guidelines
1.4
Why is it necessary to register the agent?
Compliance with VIOR
Under the Visa International Operating Regulations (VIOR), the Visa
client has an obligation to register Agents with Visa.
Agent Relationship
The Agent registration database provides Visa and Visa clients with
records of Agent relationships. This will help ensure that any
obligations and liabilities as required by the VIOR relating to activities
performed by the agents are recognized and are clearly associated to
a Visa client.
Risk Controls and Brand Protection
It is the client’s responsibility and liability to monitor the practices of its
Agents. Visa clients are responsible that their Agents comply with the
relevant standards and requirements, as specified in the VIOR and in
the Third Party Agent Due Diligence Risk Standards (a copy can be
downloaded from the Agent website). This reduces the risk to Visa,
Visa clients, and Visa cardholders from brand damage and financial
losses due to Agent compromises, operational errors, contractual
issues, or other non-compliance with VIOR.
January 2012
8
Agent Registration
Program Guidelines
2
Registration Process
2.1
Registration Process
A Visa client using an Agent must:
Step 1:
Complete due diligence of the VisaNet Processor
or Third Party
Step 2:
Register the Agent via the Visa Membership
Management (VMM) system, a web-based
workflow tool, which will replace the paper-based
agent registration process, including the Exhibit 5E
form
Visa will dispatch a confirmation letter via email to the client upon
completion of the registration.
Visa’s acknowledgement of the registration does not imply that
Visa approves or endorses the relationship with the Agent, or that
the Agent complies with Visa requirements.
2.2
When to register
BEFORE: Visa clients are required to properly register the Agent
with Visa before the entity provides Visa-related
services for the client.
AFTER:
Visa clients are required to notify Visa when:

Designating additional services for the Agent

Terminating the contract with the Agent

Changing the status of the Agent, e.g.
•
Change of Ownership and Name of entity
(due to acquisition, merger, etc.)
•
Change of Address (due to relocation,
addition or closure of “additional” site
within the same country)
•
Change of Visa-related services
Visa clients are required to notify Visa of any change
of status within 5 business days of the change.
Agent Registration
Program Guidelines
2.3
How to access the VMM system

Visa client must first be enrolled with a Visa Online (VOL)
login ID

Click one of the following links for your regional VOL:

o
Asia Pacific – https://www.ap.visaonline.com
o
CEMEA – https://cemeahp.visaonline.com
You will need to register as a user of VMM – as a
Submitter or an Officer:
o
Submitter – an employee of the institution that
generally is not an Officer. A Submitter is granted
access in the system, to create (but not approve)
cases in the system. The Submitter submits the
case to the Officer for approval before it is
forwarded to Visa.
o
Officer – an employee of the institution who is
granted access in the system, to submit and
approve changes, additions, and terminations.
Generally, the Officer is the one who will forward the case
to Visa. Every institution must designate at least one
Officer. The Submitter role is not compulsory.
January 2012
10
Agent Registration
Program Guidelines
3
Registration Fees

January 2012
There is no Agent registration fee for Visa clients in Asia
Pacific, Central Europe, Middle East and Africa, but, Visa
reserves the right in future to impose registration fees.
11
Agent Registration
Program Guidelines
4
Registration NonCompliance
A Visa client may be subject to fines starting at US$10,000 for the
first violation in the following situations:
•
Using a Third Party Agent or VisaNet Processor that has not
been registered
•
Using a Third Party Agent or VisaNet Processor that fails to
comply with the VIOR.
The schedule of fines is specified in the VIOR.
January 2012
12
Agent Registration
Program Guidelines
5
Other Compliance
Requirements
5.1
Visa Program Compliance
Depending on the Visa payment related services the Agent
provides, Visa may require the Agent to comply with one or more
of Visa’s compliance programs.
The table below outlines the applicable Visa program and
compliance standards per payment related service. The
compliance standards can be downloaded from http://visaasia.com/ap/sea/merchants/riskmgmt/.
Payment Related Service
Visa Program
Applicable Security Standards
Compliance
Process Verified by Visa passwords
Any Agent that that stores,
processes and/or transmits:
Visa Account Numbers
‘CVV, CVV2, iCVV2
-
Access Control Server
(ACS)
Account Information
PCI Data Security Standards
3-D Secure™ Security Requirements Enrollment and Access Control Servers
PCI Data Security Standards
Security Program (AIS)
Other cardholder data
Processes PINs for Visa
Transactions
PIN Security Program
Instant Card Issuance
Instant Card Issuance
personalization
Program (ICPIA)
Warehousing, packaging,
distribution of prepaid cards
(Distribution Channel Vendors)
PCI PIN Security Standards
Visa Global Instant Card
Personalization Issuance
Security Standards
Visa Global Physical Security Validation
Approved Card Vendor
Requirements for Data Preparation,
Program (optional) 1
Encryption Support and Fulfillment Card
Vendors
After registration, a Visa program manager will contact the Visa client to discuss
compliance validation of the Agent. The Visa client is expected to complete the necessary
due diligence of the Agent to ensure the Agent complies with the VIOR and the applicable
security standards prior to Agent registration with Visa.
1
It is up to the Visa client and the Agent if they want the Agent to be enrolled and reviewed annually via the Visa
Approved Card Vendor Program. Card Vendor Program participation is not mandatory.
January 2012
13
Agent Registration
Program Guidelines
6
Frequently Asked
Questions
Q: What is the Agent Registration Program?
A: The Agent Registration Program is a Visa-mandated program
enacted to ensure that Visa clients are in compliance with Visa
International Operating Regulations (“Visa Inc. rules”) and
policies regarding their use of Agents.
Q: What is a Third Party Agent?
A: A Third Party Agent (also referred to as “TPA”) is an entity, not
directly connected to VisaNet, that provides payment-related
services, directly or indirectly, to a Visa client (or their
merchants) and/or stores, processes or transmits Visa account
numbers. TPAs perform multiple functions on the issuing and
acquiring side of a Visa client’s business. Each function
performed by the TPA must be registered by each Visa client
that is utilizing those services. TPA functions that require
registration are listed under item 1.3 of the Agent Registration
Guidelines.
Depending on the function the TPA performs, the TPA may be
required to be approved under one or many of Visa’s
compliance programs. Visa clients will be notified by the
individual program owner for further follow-up.
Q: Why do I need to register the Agent?
A: Visa wants to ensure that clients attest to having completed
the required due diligence reviews, and that they are engaged
with the Agent in a manner that is compliant with the VIOR.
Q: Who needs to be registered?
A: Agent registration is required for all entities performing
solicitation activities and / or storing, processing or transmitting
Visa account numbers for Visa clients (or on behalf of their
merchants).
January 2012
14
Agent Registration
Program Guidelines
2
Clients must register all Agents regardless of whether the
Agent has registered directly with Visa via the Visa Registry of
Service Provider program.
Visa client may be assessed a fine per Agent for not
registering an Agent.
Q: Who can register Agents?
A: Only Visa clients can register Agents (including any Agents
their merchants are using).
Q: How does a Visa client register an Agent?
A: Effective January 2012, Visa clients can register their Agents
via the Visa Membership Management (VMM) system, a webbased workflow tool, which will replace the current paperbased agent registration process, including the Exhibit 5E
form.
Q: How do I access VMM?
A: 1. You must first be enrolled with a Visa Online (VOL) login ID.
2. Click one of the following links for your regional VOL:
Asia Pacific – https://www.ap.visaonline.com
CEMEA – https://cemeahp.visaonline.com
3. You will need to register as a user of VMM – as a Submitter
or an Officer:
 Submitter – an employee of the institution that generally
is not an Officer. A Submitter is granted access in the
system, to create (but not approve) cases in the system.
The Submitter submits the case to the Officer for
approval before it is forwarded to Visa.
 Officer – an employee of the institution who is granted
access in the system, to submit and approve changes,
additions, and terminations.
Generally, the Officer is the one who will forward the case to
Visa. Every institution must designate at least one Officer.
The Submitter role is not compulsory.
2
An Agent is exempted from the registration requirements and any associated fees if it provides services only on
behalf of its affiliates (includes parents and subsidiaries) and those affiliates are Visa client that own and control at
least 25 percent of the third party agent.
January 2012
15
Agent Registration
Program Guidelines
Q: Can I continue to use the current paper-based registration
process, including the Exhibit 5E form?
A: The VMM rollout will be implemented in six phases. Beginning
3
on the effective date for each country, clients will be required
to register Agents using the online system. Registrations filed
using the Exhibit 5E form, following a country’s effective date,
will be rejected, and clients will need to resubmit their
registration using VMM.
Q: How do I know my registration is accepted?
A: Upon completion of the registration, a confirmation letter will
arrive via email to the Officer of the institution.
Q: Can Agents register directly with Visa?
A: Yes but this is a separate program to the Agent Registration
program. In Asia Pacific an Agent can register directly with
Visa via the Visa Registry of Service Providers program
(VRSP). The Registry is a listing of service providers that
provide payment related services to Visa client banks and the
merchants. It serves as a source of reference for Visa client
banks and merchants when selecting service providers for
outsourcing Visa payment related services. For detailed
information on the VRSP Program, please visit www.visaasia.com/spregistry.
Note, clients must register all Agents regardless of whether the
Agent has registered directly with Visa via the VRSP program.
Q: What is the Visa client’s responsibility in relation to
Agents?
A: Visa clients are responsible for their Agents; therefore, a Visa
client must perform its own due diligence and weigh the
operational and financial risks of utilizing the Agent.
Visa clients are responsible for ensuring that their Agents
comply with PCI DSS (where applicable) and Visa
International Operating Regulations. Visa clients may be
3
Please refer to Visa Business News dated 1 December 2011 on Visa to Launch Online Agent Registration
System for the Rollout Timeline.
January 2012
16
Agent Registration
Program Guidelines
subject to fines and penalties for any Agent found to be out of
compliance with the PCI DSS or Visa International Operating
Regulations.
Q: Is there a fee for Visa clients to register Agents?
A: Currently, there are no fees applicable to Visa clients to
register an Agent in Asia Pacific, Central Europe, Middle East
and Africa, but Visa reserves the right in future to impose
registration fees.
Q: Prior to registering an Agent, what due diligence must a
Visa client perform?
A: Visa provides a minimum due diligence standard that all Visa
clients must perform prior to registering an Agent. Visa’s
minimum standard includes basic background, financial and
operational reviews. However, each Visa client is encouraged
to increase the scope of review based on the Agent business
type, services performed, relative program risk, Visa account
data held or processed and the individual Visa client’s internal
risk appetite and requirements.
Q: Can a Visa client register an Agent before the Agent
validates PCI DSS compliance?
A: Yes, if the Visa client registers an Agent prior to the Agent
validating compliance, the Agent must be contracted with an
approved Qualified Security Assessor (QSA), or commit to
completing a Self Assessment Questionnaire (SAQ) and have
an expected date of compliance. A list of QSAs can be found
at https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf.
Q: What does an Agent have to do to get registered?
A: To start the registration process, Agents should contact their
contracted Visa client. If the Agent has a contract with a Visa
client’s merchant, the Agent can pursue two avenues: 1) they
can directly contact the merchant’s Visa client (usually
identified by asking the merchant for their acquiring/merchant
bank contact information); or 2) Visa can facilitate the
registration by contacting the merchant’s Visa client on behalf
of the Agent.
January 2012
17
Agent Registration
Program Guidelines
Also, the Agent has the option to enroll in Visa’s Registry of
Service Providers (VRSP) Program. The Registry is a listing of
service providers that provide payment related services to Visa
client banks and the merchants. It serves as a source of
reference for Visa client banks and merchants when selecting
service providers for outsourcing Visa payment related
services. For detailed information on the VRSP Program,
please visit www.visa-asia.com/spregistry.
January 2012
18
Agent Registration
Program Guidelines
7
References
7.1
Agent Website
For Agent Registration, go to
http://www.visa-asia.com/ap/sea/merchants/riskmgmt/
7.2
Third Party Compliance Requirements
For PCI DSS requirements, go to
http://www.pcisecuritystandards.org/
For PIN Security requirements, go to
http://www.visa.com/pinsecurity
For 3-D Secure Access Control Server security requirements,
go to
http://www.visa.com/3-dsecure
7.3
Other Program Links
For Account Information Security (AIS), go to
http://www.visa-asia.com/ap/sea/merchants/riskmgmt/ais.shtml
For Visa Registry of Service Providers (Registry), go to
http://www.visa-asia.com/spregistry
For Adobe Reader download and installation, go to
http://www.adobe.com
For Visa Online access application, go to
Asia Pacific - https://www.ap.visaonline.com
CEMEA – https://cemeahp.visaonline.com
7.4
Email Contact
For Agent Registration queries, please contact us at
[email protected]
January 2012
19
Agent Registration
Program Guidelines
Glossary
3-D Secure Access
Control Services
(ACS)
Provider of a software protocol that enables secure
processing of Verified by Visa transactions over the Internet
and other networks.
Account Number
The 16-digit number that appears on the front of all valid Visa
cards. The number is one of the card security features that
should be checked by merchants to ensure that a cardpresent transaction is valid.
Acquirer
A financial institution that enters into agreements with
merchants to accept Visa cards as payment for goods and
services. Commonly referred to as the merchant bank.
Agent
An entity that acts as a VisaNet Processor (VNP), Third Party
Agent (TPA), or both.
Application
processing services
A Third Party that processes applications for Visa cards on
behalf of the issuer.
ATM/POS terminal
deployment services
A Third Party that installs ATMs or POS terminals.
ATM/POS terminal
maintenance services
A Third Party that performs maintenance of ATMs or POS
terminals, both hardware and software.
ATM transaction
processing services
A Third Party that processes Visa transactions originating
through ATMs.
Attestation of
Compliance (AOC)
This document, which is maintained by the PCI SSC, denotes
who the QSA was that completed the ROC and includes the
services that are provided by the entity being reviewed. An
office of the entity being reviewed signs this to confirm the
accuracy of the ROC.
Authorization
A process where an issuer, a VisaNet Processor, or Stand-In
Processing approves a Transaction. This includes:
• Domestic Authorization
• International Authorization
• Offline Authorization
January 2012
20
Agent Registration
Program Guidelines
Cardholder
An individual to whom a card is issued, or who is authorized
to use this card.
Cardholder Data
Data encoded in the card magnetic stripe such as cardholder
name, card expiry date, CVV, etc.
Chargeback
A formal process that allows an Issuer to charge the amount
of sale back to the acquirer, because the acquirer or
merchant has not complied with requirements for a Visa
transaction.
Customer Service
A Third Party that provides support for cardholder or merchant
queries.
Distribution Channel
Vendor
A Third Party responsible for storage and shipping of premanufactured,
commercially
ready
Visa
Products
(warehouses, card packagers, logistic companies)
Encryption Support
Organization (ESO)
An ESO maintains a business relationship with a Plus/Interlink
client that includes loading or injecting encryption keys into
ATMs, terminals or PIN Pads and kiosks or loading software
into a terminal or ATM which will accept Visa branded cards,
merchant help desk support, including re-programming of
terminal software. Entities using vendor supplied Remote
Key Distribution techniques must ensure that such vendors
are registered with Visa as ESOs.
Independent Sales
Organization (ISO)
An organization that has a direct relationship with issuing
and/or acquiring clients. Clients contract with ISOs to provide
specific services such as merchant solicitation, cardholder
solicitation, customer service and card application processing.
ISOs act on behalf of Visa clients to deploy and/or service
qualified ATMs, solicit other entities (i.e. merchant, corporate
members, government entities, etc.) to sell, activate or load
prepaid cards.
Instant Card
Personalization
The ability to instantly personalize Visa cards as the customer
waits or to respond immediately to the request for an
emergency replacement of a cardholder’s lost or stolen card.
Instant Card Issuance
services
A Third Party Agent that performs instant card personalization
and issuance for the issuer.
Internet Payment
A Third Party that contracts with an acquirer to provide e-
January 2012
21
Agent Registration
Program Guidelines
Service Provider
(IPSP)
commerce payment services to a Sponsored Merchant. Also
referred to as a Merchant Aggregator.
Issuer
A financial institution that issues Visa cards.
Key management
The generation, transmission, storage, loading, safeguarding,
use, and replacement of keys in a cryptography system.
Loyalty program
management
A Third Party Agent that provides management services for a
Visa Clients loyalty program and has access to cardholder
data.
Mail Order/Telephone
Order Merchant
(MO/TO)
Business where the primary or a major source of income
comes from merchandise or services sold by mail or
telephone. Such transactions are frequently charged to
customers’ payment card accounts.
Managed Services
Services that are provided or facilitated by the CFS agent
over centralized or hosted network environments to the
franchisees such as property management systems, inventory
control systems, menu distribution systems, etc.
Merchant
A principal or entity entering into a card acceptance
agreement with a Visa member financial institution.
Merchant Agreement
A contract between a merchant and an acquirer containing
their respective rights, duties, and obligations for participation
in the acquirer’s Visa or Visa Electron Program.
Merchant Servicer
(MS)
An organization that stores, processes, or transmits Visa
account numbers on behalf of the member’s merchant. A
Merchant Servicer has a contract with a client’s merchant
(although not necessarily with the client) and provides specific
merchant services (e.g. online shopping carts, payment
gateways, hosting facilities, data storage, and authorization
and/or clearing and settlement messages).
Merchant Training
Services
A Third Party who provides terminal, fraud, or card
acceptance training for merchants.
Payment Card
Industry Data Security
Standard (PCI DSS)
A comprehensive set of international security requirements
established by the Payment Card Industry to protect
cardholder data. These requirements apply to all Visa clients,
merchants, and Third Party Agents that store, process, or
January 2012
22
Agent Registration
Program Guidelines
transmit cardholder data.
Payment Card
Industry Security
Standards Council
(PCI SSC)
The PCI Security Standards Council is an open global forum
for the ongoing development, enhancement, storage,
dissemination and implementation of security standards for
account data protection.
The PCI Security Standards Council’s mission is to enhance
payment account data security by driving education and
awareness of the PCI Security Standards. The organization
was founded by American Express, Discover Financial
Services, JCB International, MasterCard Worldwide, and Visa
Inc.
Payment Gateway
A system that provides electronic commerce services to
merchants for the Authorization and Clearing of Electronic
Commerce Transactions.
Payment Service
Provider (PSP)
An entity that contracts with an Acquirer to provide payment
services to a Sponsored Merchant.
Personal
Identification Number
(PIN)
A personal identification alpha or numeric code that identifies
a cardholder in an Authorization Request originating at a
terminal with Authorization-Only or Data Capture-Only
Capability.
PIN transaction
processing at POS
Terminal
A third party that processes Visa transactions containing PINs
originating from Point-of-Sale (POS) terminals
Prepaid Card
A card used to access funds in a Prepaid Account or a card
where monetary value is stored on a Chip.
Prepaid solicitation,
sales, activation,
and/or loading
A Third Party that distributes prepaid Visa cards to merchants
or end sellers, provides prepaid activation or load services.
Report of Compliance
(ROC)
Report containing details documenting an entity’s compliance
status with the PCI DSS.
Self-Assessment
Questionnaire (SAQ)
The PCI DSS SAQ is a validation tool for merchants and
service providers that are not required to undergo an on-site
data security assessment per the PCI DSS Security
Assessment Procedures. The purpose of the SAQ is to assist
organizations in self-evaluating compliance with the PCI DSS,
January 2012
23
Agent Registration
Program Guidelines
and you may be required to share it with your acquiring bank.
The SAQ version D has been developed for all service
providers defined by a payment brand as eligible to complete
an SAQ.
Settlement
The reporting and transfer of Settlement Amounts owed by
one Client to another, or to Visa, as a result of Clearing.
Sponsored Merchant
An electronic-commerce merchant that contracts with a
Payment Service Provider (PSP). The PSP performs some or
all of the sponsored merchant’s payment-related operations
on its behalf. The sponsored merchant must meet all card
acceptance requirements in the Visa International Operating
Regulations, with the single exception that it may have a
contract with a PSP, rather than an acquirer.
Solicitation
A Third Party that solicits for new cardholders or merchants.
Third Party Agent
(TPA)
An entity that is not defined as a VisaNet Processor that
provides payment-related services, directly or indirectly, to a
Visa client and/or stores, transmits, or processes cardholder
data. A TPA must be registered by all Visa clients utilizing
their services, directly or indirectly.
Third Party Agent
Registration
Third Party Agents must enroll with Visa prior to providing any
services on behalf of a financial institution or merchant. This
process is completed through the Visa Membership
Management tool (VMM).
Third Party Servicer
(TPS)
An organization that stores, processes, or transmits Visa
account numbers. The TPS has a direct relationship with the
Visa client.
Verified by Visa
Validates a cardholder’s ownership of an account in real time
during an online Visa card transaction. When the cardholder
clicks “buy” at the checkout of a participating merchant, the
merchant server recognizes the registered Visa card and the
“Verified by Visa” screen automatically appears on the
cardholder’s desktop. The cardholder enters a password to
verify his or her identity and the Visa card. The issuer then
confirms the cardholder’s identity.
Visa Client
An organization which is a client of Visa and which issues
cards and/or signs merchants.
January 2012
24
Agent Registration
Program Guidelines
VisaNet
The data processing systems, networks and operations which
are used to support and deliver authorization services,
exception file services, clearing and settlement services and
any other services.
VisaNet Processor
(VNP)
A Visa client or Visa-approved non-client that is directly
connected to VisaNet and provides authorization, clearing, or
settlement services to merchants and/or clients.
January 2012
25