Transcription
VISA.COMVISA.COMThird Party Agent Registration Program – TPA Types andFunctional Descriptionssolicitation and/or customer training to "high–brand risk merchants".Independent Sales Organizations (ISO) ISO Merchant (ISO – M) – Conducts merchantaccount or transaction processing solicitation,sales, customer service, merchant trainingactivities and / or solicitation and sales of POSterminals and / or mPOS devices. Does not haveaccess to the merchant cardholder data (CHD)or the cardholder data environment (CDE). Mayalso sell or resell gateway services (i.e. whitelabel gateway) in conjunction with selling themerchant account and allow the merchant toimplement a payment system solution withoutinstalling or configuring their own system.ISO Cardholder (ISO – C) – Conductscardholder solicitation, card applicationprocessing services and/or customer serviceactivities.ISO ATM (ISO – ATM) – Acts on behalf ofclients to sell and deploy and/or servicequalified ATMs. A “qualified” ATM is an ATMowned by or sponsored by a valid Visa or Plusclient.Encryption Support Organizations (ESO)Performs cryptographic key management servicesto support clients' ATM programs or to deployPoint of Sale PIN Entry Devices (POS PEDs) or PINpads. ATM and PIN Pad manufacturers that managevarious cryptographic key managementresponsibilities for clients are also considered ESOs.An ESO maintains a business relationship with aclient that includes: Loading or injecting encryption keys into ATMS,terminals or PIN Pads Loading software into a terminal or ATM whichwill accept Visa branded cards Merchant help desk support, including reprogramming of terminal softwareEntities using vendor supplied Remote KeyDistribution techniques must ensure that suchvendors are registered with Visa as ESOsISO Prepaid (ISO – PP) – Solicits other entities(i.e., merchants, corporate clients, governmententities, other businesses etc.) to sell, activate orload prepaid cards on behalf of an issuer.Prepaid card sales and/or activation is a primaryfunction of their business.Third-Party Servicers (TPS)Contracted by issuing and/or acquiring clients forpayment related services such as: High Risk ISO (HR – ISO) – Contracts with anacquirer to provide merchant solicitation, sales,customer service, merchant transaction15 June 2016Visa PublicPayment processing: Transaction processing(authorization and clearing and settlementmessages, batch transmissions and datacapture), virtual card processing, PINtransaction processing.1
VISA.COM Value added services: Chargeback/exceptionprocessing, secure password delivery, fraudcontrol, fraud verification services, cardholderaccounting, statement processing, remittanceprocessing, data warehousing capture,customer service, risk reporting/service, loyaltyprograms, rewards programs, interactive voicerecognition, skip tracing services. Datacenter hosting: Access to the customer’slogical space used to store their paymentprocessing system and may provider ofadditional services such helping their customermaintain the server, and provide power, firesuppression, cameras, biometric scans, physicalsecurity. Secure storage facilities: Secure back-up,storage or destruction of electronic and physicalmedia for financial institutions, companies orservice providers that have CHD assets but donot electronically store, process or transmit carddata. Managed services: Provides services within athird party’s CDE, where the managed serviceprovider has access to any cardholder data.Managed services providers usually manage thecompliance obligations on behalf of clients forspecific requirements within the PCI DSS:application, system management, operations,network management and may perform day-today application, system management,operations with access to cardholder data.Monitoring services: For critical security alerts Intrusion Detection Systems (IDS), anti-virus,change-detection, compliance monitoring,audit-log monitoring, etc. Network service provider: Cloud &Infrastructure services: network, server, andendpoint management & monitoring. Managed firewall/router provider: Firewallmanagement, migration, monitoring. Statement printing15 June 2016 Call center provider: Call centers accessing CHD Token service providers: Transform cardholderdata with tokenization or encryption. Corporate T&E charge reporting: Billing,expense reporting, and loyalty/rewards forcorporate card issuers Acquirer token service providers: Tokenizationsolution provider that has overall responsibilityfor the design and implementation of a specifictokenization solution, and (directly or indirectlythrough outsourcing) manages tokenizationsolutions for its customers and/or managescorresponding responsibilities. May managetokens for merchants and acquirers. IncludesToken as a Service (TaaS) providers and tokenrequestor entities. POS services: Deploys and or services POSterminals/ATMS. Service may includeperforming maintenance, installation, softwareor hardware upgrades, replacing POSterminals/ATMs and accessing the CDE andCHD (remote or physical) but no access to PINdata. Software as a Service (SaaS): Hosting providerthat allows customers to use the provider’s appsrunning on provider’s cloud infrastructure(hosting of servers, storage, and networkcomponents). Platform as a Service (PaaS): Hosting providerwhere customer deploys consumer-created oracquired applications onto provider’s cloudinfrastructure (hosting of purchasedapplications). Infrastructure as a Service (IaaS): Hostingprovider that allows the customer to deploy andcontrol its own software on provider’s cloudinfrastructure (Infrastructure as a Service - cloudinfrastructure hosting of proprietaryapplications.Visa Public2
VISA.COMservices such helping their customer maintainthe server, and provide power, fire suppression,cameras, biometric scans, physical security.Merchant Servicers (MS)May be contracted by the merchant directly, notwith the merchant's acquirer to provide specificmerchant payment services including but notlimited to: Payment Gateways and online shopping cart Payment processing: Transaction processing(authorization and clearing and settlementmessages, batch transmissions and datacapture), virtual card processing. Qualified Integrator & Reseller*: Sell, install,and/or service payment applications on behalfof software vendors or others. Integratorservices may include: servicing the paymentapplications (for example, troubleshooting,delivering remote updates, and providingremote support). Technology SolutionIntegrators Provides SaaS (host the software inthe cloud or installs applications directly on theserver) for a merchant. The integrator'stechnology is configured to a gateway's system.POS Integrators - integrates POSdevices/systems and may have remote accessfor ongoing support.POS services: Deploys and or services POSterminals/ATMS. Service may includeperforming maintenance, installation, softwareor hardware upgrades, and replacement forPOS terminals/ATMs and has access to the CDEand CHD (remote or physical) but no access toPIN data.Value added services: Chargeback/exceptionprocessing, secure password delivery, fraudcontrol, fraud verification services, cardholderaccounting, statement processing, remittanceprocessing, data warehousing capture,customer service, risk reporting/service, loyaltyprograms, rewards programs, interactive voicerecognition, skip tracing services. Secure storage facilities: Secure back-up,storage or destruction of electronic and physicalmedia for financial institutions, companies orservice providers that have CHD assets but donot electronically store, process or transmit carddata. Managed services: Provides services within athird party’s CDE, where the managed serviceprovider has access to any cardholder data.Managed services providers usually manage thecompliance obligations on behalf of clients forspecific requirements within the PCI DSS:application, system management, operations,network management and may perform day-today application, system management,operations with access to cardholder data. Monitoring services: For critical security alerts Intrusion Detection Systems (IDS), anti-virus,change-detection, compliance monitoring,audit-log monitoring, etc. Network service provider: Cloud &Infrastructure services: network, server, andendpoint management & monitoring. Managed firewall/router provider: Firewallmanagement, migration, monitoring. Statement printing Call center provider: Call centers accessing CHD Token service providers: Transform cardholderdata with tokenization or encryption. Corporate T&E charge reporting: Billing,expense reporting, and loyalty/rewards forcorporate card issuers Acquirer token service providers: Tokenizationsolution provider that has overall responsibilityfor the design and implementation of a specifictokenization solution, and (directly or indirectlythrough outsourcing) manages tokenizationsolutions for its customers and/or managesDatacenter hosting: Access to the customer’slogical space used to store their paymentprocessing system or provider of additional15 June 2016Visa Public3
VISA.COMcorresponding responsibilities. May managetokens for merchants and acquirers. IncludesToken as a Service (TaaS) providers and tokenrequestor entities.Payment Facilitators (PF) Software as a Service (SaaS): Hosting providerthat allows customers to use the provider’s appsrunning on provider’s cloud infrastructure(hosting of servers, storage, and networkcomponents). Platform as a Service (PaaS): Hosting providerwhere customer deploys consumer-created oracquired applications onto provider’s cloudinfrastructure (hosting of purchasedapplications). Solicit sponsored merchant for Visa acceptance Contracts with sponsored merchants to enableVisa payment acceptance Monitors compliance of sponsored merchantactivity in accordance with the Visa Rules Receives settlement of transaction proceedsfrom the acquirer on behalf of the sponsoredmerchant Must be located within the acquirer’sjurisdiction Cannot be listed on the Terminated MerchantFile (TMF), or similar files Cannot act as a sponsor for another PaymentFacilitator Excluded merchant types (but may be signedunder direct acquiring agreements): Internetpharmacies, Internet pharmacy referral sites,and outbound telemarketersVisa Public4Infrastructure as a Service (IaaS): Hostingprovider that allows the customer to deploy andcontrol its own software on provider’s cloudinfrastructure (Infrastructure as a Service - cloudinfrastructure hosting of proprietaryapplications.*QIR can be recognized as a type of service provider on theVisa Global Registry of Service Providers if they self-identifythrough the Merchant Servicer Self-Identification Program.Corporate Franchise Servicers (CFS)Provide, manage or control an environment/connectivity to franchisees that may or may nothost or provide payment card payment services(payment applications, inventory managementsystems, etc.). The CFS is a corporate entity orfranchisor that provides, manages or controls acentralized or hosted network environmentirrespective of whether Visa cardholder data isbeing stored, transmitted or processed through it.Although it may or may not host or provide cardpayment services, more importantly, the insecurityof the shared network can affect an independentlocation or franchisee and that of its owncardholder data environment if accessed byunauthorized parties. Typically, managed servicesare provided to the franchisees such as propertymanagement systems, inventory control systems,menu distribution systems, etc. CFSs are not directlyconnected to VisaNet.15 June 2016A type of third party agent that can 1) sign amerchant agreement on behalf of an acquirer, and2) receive settlement funds from an acquirer onbehalf of a sponsored merchant. PaymentFacilitators may have access to cardholder data(CHD) or the cardholder data environment (CDE).Service Providers that protect, secure, store,process, or transmit Visa cardholder data and orPIN and are contracted with an acquirer to provideVisa payment services to sponsored merchantssuch as:
VISA.COMHigh Risk Internet Payment Facilitators(HRIPF)Dynamic Currency Conversion (DCC)Contracts with acquirers to provide paymentservices to high–risk merchants, high–brand riskmerchant, high–risk sponsored merchants or high–brand risk sponsored merchants. A High RiskInternet Payment Facilitator (HRIPF) is an entity thatenters into a contract with an acquirer to providepayment services to high–risk merchants, high–brand risk merchant, high–risk sponsoredmerchants or high–brand risk sponsored merchantsand signs one or more merchants belonging tohigh–brand risk merchant category codes, asdefined in the Visa Rules.Distribution Channel Vendors (DCV)Packaging, storing and shipping of nonpersonalized Visa products (e.g. warehouses,wholesalers, logistics companies). For moreinformation please contact AVPamericas@visa.com.Instant Card Personalization Issuance Agent(ICPIA)Packaging, storing and shipping of nonpersonalized Visa products (e.g. warehouses,wholesalers, logistics companies).**ICPIA employer or government managed programsare excluded from the agent registration requirement– however must comply with remainingrequirements listed in the VIOR Agents section.Contracts with an acquirer to provide currencyconversion services to sponsored merchants atcheckout.For more information pleasecontact DCCcompliance@visa.com.Visa Recognized Third Parties – Do NotRequire RegistrationQualified Integrator & Reseller: Sell, install, and/orservice payment applications on behalf of softwarevendors or others. Integrator services may include:servicing the payment applications (for example,troubleshooting, delivering remote updates, andproviding remote support) according to the PA-DSSImplementation Guide and PCI DSS (PCI SSCwebsite, 2014) Technology Solution Integrators Sell software or provides SaaS (host the software inthe cloud or installs applications directly on theserver) for a merchant. The integrator's technologyis configured to the gateway's system. POSIntegrators - integrates POS devices/systems andmay have remote access for ongoing support.For more information pleasecontact AVPamericas@visa.com.15 June 2016Visa Public5
Payment processing: Transaction processing (authorization and clearing and settlement messages, batch transmissions and data capture), virtual card processing. Qualified Integrator & Reseller*: Sell, install, and/or service payment applications on behalf of software vendors or others. Integrator ser
