Service providers are organizations that process, store, or transmit Visa cardholder data on behalf of Visa acquirers/issuers, merchants, or other service providers.
Visa issuers and acquirers are responsible for ensuring that all of their service providers comply with the PCI Data Security Standard (DSS) requirements. Visa has prioritized the compliance validation based on the volume of transactions, the potential risk, and exposure introduced into the payment system.
Service providers that are directly connected to VisaNet via the VisaNet Extended Access Server (VEAS) are classified as Third Party VisaNet Processors (VNPs). For validation requirements for Third Party VNPs, please click here.
Service Provider Levels
Service providers are classified into one of two service provider levels:
| Service Provider Level | Description |
| 1 |  Any service provider that stores, processes or transmits more than 300,000 Visa accounts/transactions* annually |
| 2 |
Any service provider that stores, processes or transmits less than 300,000 Visa accounts/transactions* annually |
| * | Includes all transactions, regardless of type / channel |
Service providers that are directly connected to VisaNet via the VisaNet Extended Access Server (VEAS) are classified as Third Party VisaNet Processors (VNPs), regardless of annual transaction volume. For validation requirements for Third Party VNPs, please click here.
Compliance Validation Requirements
Under the AIS program, service providers must validate their compliance with PCI DSS as follows:
| Level 1 | Level 2 | |
| More than 300,000 Visa transactions per year | Less than 300,000 Visa transactions per year |
|
Annual PCI DSS onsite review by a PCI SSC Qualified Security Assessor (QSA) |
Mandated | Recommended |
Quarterly network scan by a PCI SSC Approved Scanning Vendor (ASV) |
Mandated | Mandated |
Annual PCI DSS self-assessment questionnaire (SAQ) |
Optional | Mandated |
For details on the validation methods, please click here.
Required Compliance Documentation
Visa acquirers / issuers are required to submit to Visa annually the following documents for every one of their service providers unless the service provider has already registered via the Visa Registry of Service Providers Program:
| Service Provider Level | Documents |
| Level 1 | 1. Executed Attestation of Compliance form. 2. Executive Summary and the Description of Scope of Work and Approach Taken sections of the Report on Compliance ("ROC") issued by the QSA. The full ROC is not required. However, Visa reserves the rights to require the submission of the full ROC. |
| Level 2 |
1. Self-Assessment Questionnaire ("SAQ") Version D. Visa will not review the contents of the SAQ as issuers and acquirers are responsible for reviewing the accuracy of the SAQ. |
Registry of Service Providers
The Registry of Service Providers is an optional program that service providers can join for the following benefits:
1. Submit their compliance documents (as above) directly to Visa; instead of to all Visa issuers/acquirers that they work with.
2. Get listed on the Registry of Service Providers ("Registry") if they have been reported to be fully compliant with PCI DSS via an onsite review by a QSA. Additional information on the service provider such as list of services offered and contact person details will be made available on the Registry.
Level 2 service providers that have only completed a self-assessment and performed quarterly network scans are encouraged to register but will not be listed on the Registry.
Visa requires service providers to validate PCI DSS compliance every 12 months. Listed service providers that are 1-60 days late are denoted in yellow and those that are 60-90 days late in red. A service provider that does not revalidate full PCI DSS compliance within 90 days of its annual due date will be removed from the Registry.
Click here to find out more about the program and to view the Registry.
