Tag Archives: service provider

Which Visa Europe Agent Are You?

pci dss, , ,

Or, where do I register with Visa Europe once I’ve received my completed ROC?

So you’re a service provider, you’ve been assessed by a QSA, and now you want some recognition in the form of a public listing on Visa Europe’s list of compliant service providers, or on the new Visa merchant agent listing web site.

But which route is appropriate?

The first thing to know is that Visa Europe classifies service providers as “agents”. An agent is further classified as follows:

  1. A member agent, providing services directly to a Visa Europe Member (who would be an acquiring bank or other payment processor, for example). Such services might include statement printing, card personalisation, or payment acquiring.
  2. A merchant agent, providing services directly to merchants. These services might include payment page hosting, web hosting or call centre services.

Most service providers will fit broadly in to one of the above categories. However, if you’re offering both member and merchant services, then you’re both a member agent and a merchant agent. All of your services will have been assessed, and you can therefore register as both a member and a merchant agent.

A reminder too, that this discussion relates to Visa Europe only. The same may apply to other Visa organisations, but I can’t confirm that. Secondly, other card brands such as Mastercard have different terminology and registration processes.

Now you know what kind of agent you are, how do you register?

  1. Member agents. To register, speak with your client and get in touch with the person responsible for card brand liaison. Your client should be able to sponsor you as a member agent by submittring a form to Visa Europe. Once sponsorship is in place, ask your QSA to submit your ROC, AOC and Attestation of Scope (the QSA will have this) to Visa Europe. Once the documents are accepted, you’ll be included within the PDF on the Visa Europe web site.
  2. Merchant agents. Register your details at the merchant agents registration web site. You’ll need your ROC, your signed AOC and a signed Attestation of Scope document from your QSA. Complete the on-line registration details, accept the T & C’s, and upload your documents. All being well, your details will appear on the merchant agent listing web site shortly thereafter. Note that Visa Europe may charge you for listing.

I hope that’s clarified things for you as a service provider. In the past, with only one way for service providers to be listed (on the Visa Europe PDF document), there was confusion when attempting to find a Visa Member to sponsor merchant agent service providers. In these cases, no member/agent relationship was in place, making it difficult if not impossible for many organisations to make themselves known to Visa Europe.

Credit Cards

Cut-off dates for Visa Europe web listing

pci dss, , ,

This update concerns Level 1 Service Providers (member agents).

We just had an update from Visa Europe regarding the final cut-off dates for the December web listing. Normally, this is the 15th of the month (for listing during the same month).

However, to accommodate the Christmas holidays, the cut-off for December will be Friday 7th December. So, you’ll need to ensure that your QSA  has submitted your documentation on or before the 7th December.

Terminology & Mastercard Service Provider Registration

pci dss, , , ,

If you’re a service provider, you’ll want to read this information from Mastercard about registering with them as a PCI compliant service provider. But before you read it, it’s worth having a brief tour around some relevant terminology.

If you’re a Merchant, you may find this interesting anyway, especially if the PCI compliance and registration of your service providers is something you need to know more about.

Note that this is information from Mastercard, which is a single global brand, as distinct from Visa, which has numerous regional organisations. Visa has it’s own registration process, which I’ve talked about previously.

Terminology between card brands differs too. For example, when we say “Service Provider”, Visa Europe says “Agent” and Mastercard says “Member Service Provider”. Furthermore, Mastercard MSPs fall in to two categories: Third Party Processors (TPPs) and Data Storage Entities (DSEs).

Just to round things off, you should also know that both Mastercard and Visa have different names for their card data security programmes. Visa Inc. has the “Cardholder Information Security Program” (CIS), Visa Europe has the “Account Information Security Program” (AIS). Mastercard has the “Site Data Protection” program (SDP).

Fortunately, all of these programmes are aligned with the PCI DSS.

One last point before you read the message below; a “member bank” refers to a bank that is a member of a card scheme such as Visa or Mastercard. The bank will often be a card acquirer (“acquiring bank”) or card issuer (“issuing bank”), or both. Other organisations can be scheme members too, but that’s a subject for another day.

I think that’s enough terminology for now.

To summarise, if you’re a service provider, you’ve been assessed by a QSA, and you now want to be listed on the Mastercard list of compliant service providers, here’s what you need to know. This is quoted directly from our conversations with the Mastercard compliance team.

“MasterCard requires that the newly identified entity first register as an MSP (Member Service Provider) with the MSP registration team here at MasterCard (member_service_provider@mastercard.com). Note that only one or more of our member banks can enter them into our system. If they have a direct relationship with one or more of our member banks, they should contact each one for separate registration. If they do not have a direct relationship with one or more of our members, they would need to get sponsorship from their customer’s bank to get set up (this may be either a merchant or another processor, such as a Third Party Processor – many of which have direct relationships with our banks).

Note that the Attestation of Compliance (or Certificate of Validation) is submitted only once annually to satisfy the PCI Compliance side of the process. The team which runs MSP registration is separate from the Site Data Protection Program / PCI Compliance group. They can be contacted at the address noted above. Service Providers fall into one of two categories with MasterCard (TPPs and DSEs). More information can be found here:

Please note: As of October 1, 2010, MasterCard will only list those Service Providers that are also registered and approved as a MSP (Member Service Provider) with the MasterCard Registration Program (MRP) and who have also successfully completed an annual onsite assessment and submitted the AOC.”

Note that Ambersail cannot register you with a member bank – you’re most likely to achieve this by speaking with one of your service customers, and asking them to contact their acquiring bank concerning service provider/agent registration purposes.

SAQ Eligibility Guide

pci dss, , , , , ,

Choosing the right Self Assessment Questionnaire (‘SAQ’) can be a very tricky task, especially for merchants with multiple payment channels. The PCI SSC introduced five different SAQs:

  1. SAQ A – Card-not-present Merchants, All Cardholder Data Functions Outsourced.
  2. SAQ B – Merchants with Only Imprint Machines or Only Standalone, Dial-Out Terminals. No Electronic Cardholder Data Storage.
  3. SAQ C – Merchants with Payment Application Systems Connected to the Internet, No Electronic Cardholder Data Storage.
  4. SAQ C-VT – Merchants with Web-Based Virtual Terminals, No Electronic Cardholder Data Storage.
  5. SAQ D – All Other Merchants and All Service Providers Defined by a Payment Brand as Eligible to Complete an SAQ.

Merchants are eligible to complete only one SAQ covering the entire payment system. So, lets have a look at the following scenarios:

Scenario 1

  • Merchant A has outsourced its E-commerce payment channel to a Service Provider B.
  • Merchant A does not operate any other payment channels.

This model fits an SAQ A. An E-commerce system classifies as Card-not-present transaction and it is outsourced to the Service Provider B. Simple!

Scenario 2

  • Merchant B has outsourced its E-commerce payment channel to a Service Provider C.
  • Merchant B also accept in-house MOTO (Mail Order/Telephone Order) transactions via a virtual-terminal provided by the Service Provider C.

This scenario is more complex. Based on the first statement, Merchant B fits an SAQ A. Based on the second statement, Merchant B fits an SAQ C-VT. So, which SAQ Merchant B should complete; SAQ A, C-VT or both?

The correct answer is SAQ D. SAQ A, B, C and C-VT along with the corresponding Attestation of Compliance (‘AOC’) were designed for merchants operating a single payment channel type. If a merchant operates multiple payment channel types, the only option is to follow the SAQ D.

Download our free guide to SAQ Eligibility Criteria.