Asia Pacific, Central Europe Middle East and Africa

Service providers in the Asia Pacific, Central Europe, Middle East and Africa performing solicitation activities, ATM support activities, Verified by Visa services, card or mobile vendor services, or store, process or transmit cardholder data must be registered with Visa prior to inclusion on the Visa Global Registry of Service Providers.

For more information about the Visa Third Party Agent (TPA) program and PCI DSS compliance, please visit our website, Third Party Agent Website or email us at agents@visa.com. To submit PCI DSS compliance validation documents, please email pciagents@visa.com.

For more information on about Visa Access Control Server (ACS) Program contact your regional Visa Risk representative or email Acs@visa.com.

For more information on about Visa Approved Vendor Program contact your regional Visa Risk representative or email VendorCompliance@visa.com.

For more information on about Visa PIN Security Program contact your regional Visa Risk representative or email pinsec@visa.com.

U.S., Canada, Latin America and the Caribbean

Service providers in the Canada, U.S., and Latin America and the Caribbean performing solicitation activities, ATM support activities, Verified by Visa services, card or mobile vendor services, or store, process or transmit cardholder data must be registered with Visa prior to inclusion on the Visa Global Registry of Service Providers.

For more information about the Visa Third Party Agent (TPA) program and PCI DSS compliance, please visit our website, Third Party Agent Website or email us at agentregistration@visa.com. To submit PCI DSS compliance validation documents, please email pcirocs@visa.com.

For more information on about Visa Access Control Server (ACS) Program contact your regional Visa Risk representative or email AVPamericas@visa.com.

For more information on about Visa Approved Vendor Program contact your regional Visa Risk representative or email AVPamericas@visa.com.

For more information on about Visa PIN Security Program contact your regional Visa Risk representative or email pinna@visa.com (U.S. and Canada), pinlac@visa.com (LAC).

image shadow

Resources

Contact Us


Agent Registration and PCI DSS Compliance Info

(AP, CEMEA)

(Canada, LAC, U.S.)

Links

Third Party Agent Website

(AP, CEMEA)


Third Party Agent Website

(Canada, LAC, U.S.)


PCI Data Security Standard


Downloads

TPA Registration Program FAQs

(PDF, 203kb)


Third Party Agent Due Diligence Risk Standards

(PDF, 52kb)


Legend

AP - Asia Pacific

CAN - Canada

CEMEA - Central Europe, Middle East and Africa

LAC - Latin America and Caribbean

U.S. - United States of America


PCI DSS Validated Service Providers

Service Providers that store, process or transmit cardholder data must be registered with Visa and demonstrate PCI DSS compliance. PCI DSS compliance validation is required every 12 months for all service providers. Inclusion on the registry indicates only that the service provider successfully validated PCI DSS compliance with an on-site assessment, based on the report of an independent Qualified Security Assessor (QSA), and has met all applicable Visa program requirements.1.

Annual Revalidation

Service Providers that store, process or transmit Visa cardholder data must demonstrate PCI DSS compliance and provide the compliance validation to Visa every 12 months. The fine for non-compliance starts at 50,000 USD per service provider (assessed to the registering Visa member).


For service providers published on the Registry, if Visa does not receive the appropriate revalidation documents:

Please note that Visa reserves the rights to remove any third party agent from the Registry at its discretion.

Visa Third Party Agent Program (Independent Sales Organizations / Encryption Support Organizations)

Third Party Agents that perform solicitation activities (ISO) or deploys ATM, POS or kiosk PIN acceptance devices and/or manage encryption keys (ESO) without touching cardholder data must be registered with Visa. Inclusion on the registry indicates only that the service provider successfully completed registration with Visa.


For more information on ISOs, please visit our website at www.visa.com/third-party-agent.

Changes and Updates

Service providers are required to notify their financial institution(s) of changes to any information such as: legal name / business aliases; doing business as name (DBA); mergers and acquisitions; legal location or additional business locations; company point of contact; types of services offered; number of Visa transactions or accounts processed annually; compliance status (where applicable); and financial solvency.


For more information on how to get listed, please visit our websites, Third Party Agent Website(AP, CEMEA) or Third Party Agent Website (Canada, LAC, U.S.) or email us at , (AP, CEMEA) or , (Canada, LAC, U.S.).

Access Control Server (ACS) Service Provider Program

Access Control Server (ACS) Service Providers are third-party providers of 3D Secure ACS services that enable secure processing of payment transactions over the Internet. Visa approved ACS Service Providers have validated their security and program compliance to Visa and are listed on the Global Registry of Service Providers.


Prospective ACS service providers seeking to participate in Visa's ACS Service Provider Program must undergo on-site inspections and reviews of their financial background.

Validation

Approved ACS Service Providers offering services to Visa issuers for online internet transactions must demonstrate compliance to Visa program requirements and applicable security requirements. Contact your Visa Risk Representative to learn about program and validation requirements for your region.


For ACS Service Providers published on the Registry, if Visa does not receive the revalidation documents:

Changes and Updates

Visa approved ACS Service Providers are required to notify Visa of changes to any information such as: legal name / business aliases; doing business as name (DBA); mergers and acquisitions; legal location or additional business locations; company point of contact; types of services offered; compliance status (where applicable); and financial insolvency.


For more information about Visa Access Control Server (ACS) Program contact your regional Visa Risk representative.


Canada, LAC, U.S.:


AP, CEMEA:

Approved Vendor Program

Visa Approved Vendors are third-party providers of Visa products or services who have validated their security compliance to Visa. Prospective vendors seeking to participate in the Approved Vendor Program must undergo due diligence reviews, on-site inspections and reviews of their financial background. They also must also sign a contract before participating in the AVP Program. Final approval of a new facility is given once the vendor's finished product samples have been successfully reviewed and approved for quality and consistency and the security of the facility is confirmed. When granted, vendor approval is provided by Visa to ensure certain security and operational characteristics important to the Visa systems and products as a whole. However, this does not, under any circumstances, include any endorsement or warranty regarding the functionality, quality, or performance of any particular product or service. Visa does not warrant any products or services provided by third parties. All rights and remedies regarding products and services, which have received Visa approval, shall be provided by the party providing such products or services, and not by Visa.


Visa International Operating Regulations require Clients to use only approved Vendors, Visa or another Issuer for the manufacture, personalization, chip embedding, initialization, data preparation, or distribution fulfillment of Visa products.


The Global Registry of Service Providers lists all approved vendors (card manufacturers, magnetic-stripe card personalizers, IC personalizers, IC pre-personalizers and over-the-air (OTA) personalizers) approved by Visa to produce Visa products under the Visa Approved Vendor Program.


Clients placing orders for the manufacture, personalization, fulfillment, or initialization of Visa products may contract with any of the Approved Manufacturers, Personalizers or Trusted Service Managers on the list.

Annual Revalidation

All Approved Vendors providing services to Visa issuers for payment products bearing the trademark or service marks of Visa must demonstrate compliance to Visa and PCI program requirements and applicable security requirements on an annual basis and provide the compliance validation to Visa every 12 months. For Approved Vendors published on the Registry, if Visa does not receive the revalidation documents:

Changes and Updates

Visa approved vendors are required to notify Visa of changes to any information such as: legal name / business aliases; doing business as name (DBA); mergers and acquisitions; legal location or additional business locations; company point of contact; types of services offered; compliance status (where applicable); and financial insolvency.


For more information about Visa Approved Vendor Program contact your regional Visa Risk representative.


Canada, LAC, U.S.:


AP, CEMEA:

PIN Security Program

New to the Global Registry of Service Providers are Visa PIN Program participants who have successfully demonstrated compliance with Visa PIN Security Program requirements. The PIN Security Program outlines the minimum acceptable criteria for securing PINs and encryption keys.


The PIN Security Program focuses on entities that process PIN data or perform key management activities on behalf of Visa clients. Visa PIN Program participants include:

Visa clients that utilize the services of validated PIN Program participants have reasonable assurance that the secrecy of cardholder PINs is maintain and the integrity of key management procedures is preserved.


Visa International Operating Regulations require Clients ensure their acquiring third party agents that process or handle PIN data comply with Visa PIN Security Program requirements and that their own processing environment that process or handle PIN data comply with applicable security requirements.

Validation Requirements

PIN Program participants are required to contract directly with a Visa approved security assessor to perform an onsite review to demonstrate compliance to Visa program requirements and applicable security requirements. PIN program participants who successfully demonstrate compliance are listed on the Global Registry of Service Providers.


PIN participants are required to revalidate their compliance every 24 months. Fines may be imposed for non-compliance.


For PIN Program participants published on the Registry, if Visa does not receive the revalidation documents:

Changes and Updates

Visa PIN Program Participants are required to notify Visa of changes to any information such as: legal name / business aliases; doing business as name (DBA); mergers and acquisitions; legal location or additional business locations; company point of contact; types of services offered; compliance status (where applicable); and financial solvency.


For more information about Visa PIN Security Program contact your regional Visa Risk representative.


Canada and U.S.:


AP and CEMEA:


LAC

*The companies listed were validated as being PCI DSS compliant by a QSA as of the "VALIDATION DATE (1)". Service providers are required to revalidate their compliance to Visa every 12 months, with the Attestation of Compliance (AOC) and full Report on Compliance (ROC) (as applicable) due to Visa one year from the "VALIDATION DATE". Entities are listed in each Visa region where they have been registered by at least one client, including: AP - Asia Pacific, CEMEA - Central Europe / Middle East / Africa, LAC - Latin America / Caribbean, CAN - Canada, U.S. - United States. Visa clients are responsible for and are required to use compliant service providers and to follow up with service providers directly if there are any questions about their compliance status. Visa clients are liable for the service providers they use.

(1)PCI DSS assessments represent only a "snapshot" of security in place at the time of the review, and do not guarantee that those security controls remain in place after the review is complete. These reviews did not cover proprietary software solutions that may be used or sold by these service providers.

For service providers registered with Visa Europe, please go to www.visamerchantagentslist.com.