VisaNet Processors (VNPs) are entities (Visa client and non-Visa client) that are directly connected to the Visa payment network and fulfill an essential role in the payment process and in protecting cardholder data.
Visa's guiding principles for Payment Card Industry Data Security Standards (PCI DSS) compliance for VNPs and service providers are:
-
All client VNPs and service providers that store, process and/or transmit card data must comply with PCI DSS
-
Visa clients are responsible and liable for the actions of their service providers; at a minimum they must ensure that cardholder data is properly protected by complying with PCI DSS
-
All VNPs and service providers that store, process and/or transmit card data must demonstrate their PCI DSS compliance every 12 months
Types of VisaNet Processors
VisaNet Processors (VNPs) are classified into three categories:
| Description | |
1 |
Third party VNPs are entities (non-Visa clients) that are connected directly to VisaNet and provide issuer and/or acquirer card processing services to Visa clients, merchants and/or other service providers. |
2 |
Client VNPs acting as service providers are Visa clients or client-owned entities that are connected directly to VisaNet who provide issuer and/or acquirer card processing services to other Visa clients, merchants that are not acquired by them and/or others. |
3 |
Client Acquiring VNPs are Visa acquirers or client-owned VNPs that only process acquiring transactions for their merchants only and using BINs specifically licensed to them. |
Compliance Validation Requirements
VisaNet processors (VNPs) have to validate their PCI DSS compliance as follows:
Validation Requirements |
|
Third Party VNPs |
- Annual PCI DSS onsite review by a Qualified Security Assessor (QSA) - Quarterly network scan by an Approved Scanning Vendor (ASV) |
| Client VNPs acting as Service Providers |
- Annual PCI DSS onsite review by a Qualified Security Assessor (QSA) - Quarterly network scan by an Approved Scanning Vendor (ASV) |
Client Acquiring VNPs |
- Annual PCI DSS onsite review by a Qualified Security Assessor (QSA) or Internal review - Quarterly network scan by an Approved Scanning Vendor (ASV) |
Validation Submission Deadlines
| Submission Requirement | Deadline |
|
Third Party VNPs |
Submit Report on Compliance (ROC) issued by a Qualified Security Assessor (QSA) and completed Attestation of Compliance form, indicating full PCI DSS compliance. |
30 September 2010 |
Client VNPs acting as Service Providers |
||
Client Acquiring VNPs |
Disclose to Visa whether any prohibited data is being stored post authorization and if so, provide a remediation plan. |
30 September 2010 |
Submit PCI DSS Report on Compliance (ROC) identifying level of compliance. If not fully compliant, a remediation plan must be provided to Visa. |
30 September 2011 |
All submission is to be sent to vpssais@visa.com.
New VisaNet Processors
All new issuing and acquiring VNPs, including existing VNPs that implement new connections to Visa, must comply with the Visa connection requirements, including:
-
Prior to connecting to VisaNet, the entity must demonstrate full compliance with PCI DSS via the submission of the Report on Compliance (ROC) issued by the Qualified Security Assessor (QSA) and the completed Attestation of Compliance form to Visa.
