agent registration - visa · agent registration program guidelines 1 introduction 1.1 background...
TRANSCRIPT
Agent Registration
Program Guidelines (For use in Asia Pacific, Central Europe, Middle East and Africa)
Contents 1 INTRODUCTION ........................................................................................................................... 3
1.1 BACKGROUND........................................................................................................................... 3 1.2 PURPOSE OF DOCUMENT ........................................................................................................... 4 1.3 WHO NEEDS TO BE REGISTERED? .............................................................................................. 5 1.4 WHY IS IT NECESSARY TO REGISTER THE AGENT? ..................................................................... 7
2 REGISTRATION PROCESS......................................................................................................... 8 2.1 REGISTRATION PROCESS ........................................................................................................... 8 2.2 WHEN TO REGISTER .................................................................................................................. 8 2.3 REGISTRATION FORMS .............................................................................................................. 9
3 REGISTRATION FEES ............................................................................................................... 10 4 REGISTRATION NON-COMPLIANCE.................................................................................... 11 5 OTHER COMPLIANCE REQUIREMENTS............................................................................. 12
5.1 VISA PROGRAM COMPLIANCE................................................................................................. 12 6 FREQUENTLY ASKED QUESTIONS....................................................................................... 14 7 REFERENCES .............................................................................................................................. 18
7.1 AGENT WEBSITE ..................................................................................................................... 18 7.2 THIRD PARTY COMPLIANCE REQUIREMENTS .......................................................................... 18 7.3 OTHER PROGRAM LINKS......................................................................................................... 18 7.4 EMAIL CONTACT..................................................................................................................... 18
GLOSSARY............................................................................................................................................. 19
Agent Registration Program Guidelines
1 Introduction
1.1 Background
Agents can be an effective resource for Visa clients to use when managing their acquiring and issuing programs.
The Agent Registration Program is a Visa-mandated program enacted to ensure that Visa clients are in compliance with Visa Inc. Operating Regulations (“VIOR”) and policies regarding their use of Agents. Visa clients are required to perform due diligence reviews to ensure that they understand the Agent’s business model, financial conditions, background and Payment Card Industry Data Security Standard (PCI DSS) compliance status (where applicable).
Agent registration is required for all entities that provide Visa payment related services, directly or indirectly, to a Visa client.
3
Agent Registration Program Guidelines
1.2 Purpose of Document
This document explains the Agent registration requirements for Visa clients and their agents. Visa’s Agent registration program is intended to help the clients and agents:
• Understand their accountabilities and responsibilities to the Visa payment system;
• Ensure their compliance with the Visa International Operating Regulations (VIOR) and regional operating regulation.
These guidelines for Agent Registration should serve as a reference for Visa clients and Agents when outsourcing Visa payment related services to Agents within and outside the Asia Pacific region.
4
Agent Registration Program Guidelines
1.3 Who needs to be registered?
Generally, an agent is an entity engaged to provide Visa payment-related services, directly or indirectly, to a Visa client. An Agent can be a VisaNet Processor (VNP), Third Party, or both. A VisaNet Processor (VNP) – is a Visa client or Visa approved non-Visa client that is directly connected to VisaNet and provides Authorization, Clearing, Settlement, or payment-related processing services for merchants or other Visa clients. A Third Party is an entity, not defined as a VisaNet Processor, that provides payment related services, directly or indirectly, to a Visa client and/or stores, transmits, or processes cardholder data. Payment related activities may include:
Cardholder related services:
Solicitation
Customer service
Application processing
Instant card issuance
Prepaid solicitation, sales, activation and/or loading
Loyalty program management
Statement processing and/or printing
Payment processing services
Authorization processing
Clearing/settlement processing
Chargeback/exception item processing
Remittance processing
Data warehousing/capture
Risk reporting/control services
Merchant related services
Solicitation and sales
Training
Customer service
Internet Payment Service Providers (IPSPs)
Payment gateway services
5
Agent Registration Program Guidelines
Card related services
Card vendor sales agents
Prepaid solicitation services
Distribution channel vendors (prepaid)
PIN mailing
ATM/POS Services
ATM/POS terminal deployment
ATM/POS terminal maintenance
ATM transaction processing
Key management
Others
3-D Secure Access Control services
Payment software development
Switching
Visa PIN Processing at POS terminals
A third party does not include:
Co branding partners
Vendors listed on the list of Visa Approved Card Vendors (available from Visa Online)
Exemption:
A Third Party is exempted from the registration requirement and any associated fees if it provides services only on behalf of its affiliates (includes parents and subsidiaries) and those affiliates are Visa clients that own and control at least 25 percent of the third party agent.
6
Agent Registration Program Guidelines
1.4 Why is it necessary to register the agent?
Compliance with VIOR
Under the Visa International Operating Regulations (VIOR), the Visa client has an obligation to register Agents with Visa. Agent Relationship
The Agent Registration database provides Visa and Visa clients with records of Agent relationships. This will help ensure that any obligations and liabilities as required by the VIOR relating to activities performed by the agents are recognized and are clearly associated to a Visa client. Risk Controls and Brand Protection
It is the client’s responsibility and liability to monitor the practices of its Agents. Visa clients are responsible that their Agents comply with the relevant standards and requirements, as specified in the VIOR and in the Third Party Agent Due Diligence Risk Standards (a copy can be downloaded from the TPA website). This reduces the risk to Visa, Visa clients, and Visa cardholders from brand damage and financial losses due to agent compromises, operational errors, contractual issues, or other non-compliance with VIOR.
7
2 Registration Process
2.1 Registration Process
A Visa client using a Visa Net Processor or Third Party must:
Step 1: Complete due diligence of the VisaNet Processor or Third Party
Step 2: Complete VisaNet Processor and Third Party Registration and Designation form
Step 3: Submit form to Visa at [email protected]
Visa will dispatch an acknowledgement email to the client as soon as the Registration forms have been received and processed.
Visa’s acknowledgement of the registration does not imply that Visa approves or endorses the relationship with the Agent, or that the Agent complies with Visa requirements.
2.2 When to register
BEFORE: Visa clients are required to properly register their VisaNet Processor or Third Party with Visa before the entity provides Visa-related services for the client.
AFTER: Visa clients are required to complete the VisaNet Processor and Third Party Registration and Designation form when:
Designating additional services for the VisaNet Processor or Third Party
Terminating the contract with the VisaNet Processor or Third Party
Change of Status of the VisaNet Processor or Third Party, e.g.
• Change of Ownership and Name of entity (due to acquisition, merger, etc.)
Agent Registration Program Guidelines
• Change of Address (due to relocation, addition or closure of “additional” site within the same country)
• Change of Visa-related services
Visa clients are required to notify Visa of any change of status within 5 business days of the change.
2.3 Registration Forms
The agent registration form can be downloaded from http://visa-asia.com/ap/sea/merchants/riskmgmt/. Upon completion, print the form, sign it and scan the signed form. Email the scanned form to [email protected].
9
Agent Registration Program Guidelines
3 Registration Fees
There is no Agent registration fee for Visa clients in Asia Pacific, Central Europe, Middle East and Africa, but, Visa reserves the right in future to impose registration fees.
10
Agent Registration Program Guidelines
4 Registration Non-Compliance
A Visa client may be subject to fines starting at US$10,000 for the first violation in the following situations:
• Using a Third Party or VisaNet Processor that has not been registered
• Using a Third Party or VisaNet Processor that fails to comply with the VIOR.
The schedule of fines is specified in the VIOR.
11
Agent Registration Program Guidelines
5 Other Compliance Requirements
5.1 Visa Program Compliance
Depending on the Visa payment related services the Agent provides, Visa may require the Agent to comply with one or more of Visa’s compliance programs. The table below outlines the applicable Visa program and compliance standards per payment related service. The compliance standards can be downloaded from http://visa-asia.com/ap/sea/merchants/riskmgmt/.
Payment Related Service Visa Program
Compliance
Applicable Security Standards
Process Verified by Visa passwords Access Control Server
(ACS)
PCI Data Security Standards
3-D Secure™ Security Requirements -
Enrollment and Access Control Servers Any Agent that that stores, processes and/or transmits:
- Visa Account Numbers - ‘CVV, CVV2, iCVV2 - Other cardholder data
Account Information
Security Program (AIS)
PCI Data Security Standards
Payment Software Development Account Information
Security Program (AIS)
Payment Application Data Security
Standards
Processes PINs for Visa
Transactions PIN Security Program PCI PIN Security Standards
Instant Card Issuance
personalization
Instant Card Issuance
Program (ICIP)
Visa Global Instant Card
Personalization Issuance
Security Standards
Warehousing, packaging,
distribution of prepaid cards
(Distribution Channel Vendors)
Approved Card Vendor
Program (optional)1
Visa Global Physical Security Validation
Requirements for Data Preparation,
Encryption Support and Fulfillment Card
Vendors
1 It is up to the Visa client and the Agent if they want the Agent to be enrolled and reviewed annually via the Visa Approved Card Vendor Program. Card Vendor Program participation is not mandatory.
12
Agent Registration Program Guidelines
After registration, a Visa program manager will contact the Visa client to discuss compliance validation of the Agent. The Visa client is expected to complete the necessary due diligence of the Agent to ensure the Agent complies with the VIOR and the applicable security standards prior to Agent registration with Visa.
13
Agent Registration Program Guidelines
6 Frequently Asked Questions
Q: What is the Agent Registration Program?
A: The Agent Registration Program is a Visa-mandated program enacted to ensure that Visa clients are in compliance with Visa Inc. Operating Regulations (“Visa rules”) and policies regarding their use of Agents.
Q: Why do I need to register Agents?
A: Visa wants to ensure that clients attest to having completed the required due diligence reviews, and that they are engaged with Agents in a manner that is compliant with the VIOR.
Q: Who needs to be registered?
A: Agent registration is required for all entities performing solicitation activities and / or storing, processing or transmitting Visa account numbers for Visa clients (or on behalf of their merchants).
Clients must register all Agents2 regardless of whether the Agent has registered directly with Visa via the Visa Registry of Service Provider program.
Visa client may be assessed a fine per Agent for not registering an Agent.
Q: What is a Third Party or TPA?
A: A Third Party (also referred to as “TPA”) is an entity, not directly connected to VisaNet, that provides payment-related services, directly or indirectly, to a Visa client (or their merchants) and/or stores, processes or transmits Visa account numbers. TPAs perform multiple functions on the issuing and acquiring side of a Visa client’s business. Each function
2 An Agent is exempted from the registration requirements and any associated fees if it provides services only on behalf of its affiliates (includes parents and subsidiaries) and those affiliates are Visa client that own and control at least 25 percent of the third party agent.
14
Agent Registration Program Guidelines
performed by the TPA must be registered by each Visa client that is utilizing those services. TPA functions that require registration are listed under item 1.3 of this guideline. Depending on the function the TPA performs, the TPA may be required to be approved under one or many of Visa’s compliance programs. Visa clients will be notified by the individual program owner for further follow-up.
Q: Who can register Agents?
A: Only Visa clients can register Agents (including any Agents their merchants are utilizing).
Q: Can Agents register directly with Visa?
A: Yes but this is a separate program to the Agent Registration program. In Asia Pacific an Agent can register directly with Visa via the Visa Registry of Service Providers program (VRSP). The Registry is a listing of service providers that provide payment related services to Visa client banks and the merchants. It serves as a source of reference for Visa client banks and merchants when selecting service providers for outsourcing Visa payment related services. For detailed information on the VRSP Program, please visit www.visa-asia.com/spregistry.
Note, clients must register all Agents regardless of whether the Agent has registered directly with Visa via the VRSP program.
Q: What is the Visa clients responsibility in relation to Agents?
A: Visa clients are responsible for their Agents; therefore, a Visa client must perform its own due diligence and weigh the operational and financial risks of utilizing the Agent.
Visa clients are responsible for ensuring that their Agents comply with PCI DSS (where applicable) and Visa International Operating Regulations. Visa clients may be subject to fines and penalties for any Agent found to be out of compliance with the PCI DSS or Visa Operating Regulations.
15
Agent Registration Program Guidelines
Q: Is there a fee for Visa clients to register Agents?
A: Currently, there are no fees applicable to Visa clients to register an Agent in Asia Pacific, Central Europe, Middle East and Africa.
Q: Prior to registering an Agent, what due diligence must a Visa client perform?
A: Visa provides a minimum due diligence standard that all Visa clients must perform prior to registering an Agent. Visa’s minimum standard includes basic background, financial and operational reviews. However, each Visa client is encouraged to increase the scope of review based on the Agent business type, services performed, relative program risk, Visa account data held or processed and the individual Visa client’s internal risk appetite and requirements.
Q: Can a Visa client register an Agent before the Agent validates PCI DSS compliance?
A: Yes, if the Visa client registers an Agent prior to the Agent validating compliance, the Agent must be contracted with an approved Qualified Security Assessor (QSA), or commit to completing a Self Assessment Questionnaire (SAQ) and have an expected date of compliance. A list of QSAs can be found at https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf.
Q: What does an Agent have to do to get registered?
A: To start the registration process, Agents should contact their contracted Visa client. If the Agent has a contract with a Visa client’s merchant, the Agent can pursue two avenues: 1) they can directly contact the merchant’s Visa client (usually identified by asking the merchant for their acquiring/merchant bank contact information); or 2) Visa can facilitate the registration by contacting the merchant’s Visa client on behalf of the Agent.
Also, the Agent has the option to enroll in Visa’s Registry of Service Providers (VRSP) Program. The Registry is a listing of service providers that provide payment related services to Visa client banks and the merchants. It serves as a source of reference for Visa client banks and merchants when selecting
16
Agent Registration Program Guidelines
service providers for outsourcing Visa payment related services. For detailed information on the VRSP Program, please visit www.visa-asia.com/spregistry.
17
Agent Registration Program Guidelines
7 References
7.1 Agent Website
For Agent Registration, go to http://www.visa-asia.com/ap/sea/merchants/riskmgmt/
7.2 Third Party Compliance Requirements
For PCI DSS requirements, go to http://www.pcisecuritystandards.org/ For PIN Security requirements, go to http://www.visa.com/pinsecurity For 3-D Secure Access Control Server security requirements, go to http://www.visa.com/3-dsecure
7.3 Other Program Links
For Account Information Security (AIS), go to http://www.visa-asia.com/ap/sea/merchants/riskmgmt/ais.shtml For Visa Registry of Service Providers (Registry), go to http://www.visa-asia.com/spregistry For Adobe Reader download and installation, go to http://www.adobe.com For Visa Online access application, go to https://www.ap.visaonline.com
7.4 Email Contact
For Agent Registration queries, please contact us at [email protected]
18
Agent Registration Program Guidelines
Glossary
3-D Secure Access Control Services (ACS)
Provider of a software protocol that enables secure processing of Verified by Visa transactions over the Internet and other networks.
Acquirer A member that signs a merchant or disburses currency to a Cardholder in a Cash Disbursement, and directly or indirectly enters the resulting Transaction Receipt into Interchange.
Agent An entity that acts as a VisaNet Processor (VNP), Third Party, or both.
Application processing services
A Third Party that processes applications for Visa cards on behalf of the issuer.
ATM/POS terminal deployment services
A Third Party that installs ATMs or POS terminals.
ATM/POS terminal maintenance services
A Third Party that performs maintenance of ATMs or POS terminals, both hardware and software.
ATM transaction Processing services
A Third Party that processes Visa transactions originating through ATMs.
Authorization A process where an issuer, a VisaNet Processor, or Stand-In Processing approves a Transaction. This includes: • Domestic Authorization • International Authorization • Offline Authorization
Authorization Center Facilities established by members in-house or by third party processors to respond to merchants’ or other members’ requests for authorizations for transactions or cash disbursements.
Cardholder Data Data encoded in the card magnetic stripe such as cardholder name, card expiry date, CVV, etc.
Card Vendor Sales Agents
A Third Party that acts on behalf of the Visa client or Visa Approved Card vendor to solicit sales of Visa cards or personalization of Visa cards.
19
Agent Registration Program Guidelines
Chargeback/exception item processing services
A Third Party that processes transactions that an Issuer returns to an Acquirer.
Customer Service A Third Party that provides support for cardholder or merchant queries.
Data warehouse/capture services
A Third Party that is a data warehouse that stores or processes cardholder data.
Distribution Channel Vendor
A Third Party responsible for storage and shipping of pre-manufactured, commercially ready Visa Products (warehouses, card packagers, logistic companies)
Internet Payment Service Provider (IPSP)
A Third Party that contracts with an acquirer to provide e-commerce payment services to a Sponsored Merchant. Also referred to as a Merchant Aggregator.
Issuer A member that issues Visa Cards, Visa Electron Cards, or Proprietary Cards bearing the Plus Symbol, and whose name appears on the Card as the issuer (or, for Cards that do not identify the issuer, the member that enters into the contractual relationship with the Cardholder).
Instant Card Personalization
The ability to instantly personalize Visa cards as the customer waits or to respond immediately to the request for an emergency replacement of a cardholder’s lost or stolen card.
Instant Card Issuance services
A Third Party that performs instant card personalization and issuance for the issuer.
Key management
The generation, transmission, storage, loading, safeguarding, use, and replacement of keys in a cryptography system.
Loyalty program management
A Third Party that provides management services for a Visa Clients loyalty program and has access to cardholder data.
Merchant A principal or entity entering into a card acceptance agreement with a Visa member financial institution.
Merchant Servicer (MS)
An organization that stores, processes, or transmits Visa account numbers on behalf of the member’s merchant. The MS has a contract with the merchant, not the member.
Merchant Training Services
A Third Party who provides terminal, fraud, or card acceptance training for merchants.
20
Agent Registration Program Guidelines
Payment Gateway
A system that provides electronic commerce services to merchants for the Authorization and Clearing of Electronic Commerce Transactions.
Payment Software Development
A Third Party who develops software applications contained within a Chip or payment data encoded on a Magnetic Stripe that defines the parameters for processing a Visa or Visa Electron Transaction.
Personal Identification Number (PIN)
A personal identification alpha or numeric code that identifies a cardholder in an Authorization Request originating at a terminal with Authorization-Only or Data Capture-Only Capability.
PIN transaction processing at POS Terminal
A third party that processes Visa transactions containing PINs originating from Point-of-Sale (POS) terminals
Prepaid Card
A card used to access funds in a Prepaid Account or a card where monetary value is stored on a Chip.
Prepaid solicitation, sales, activation, and/or loading
A Third Party that distributes prepaid Visa cards to merchants or end sellers, provides prepaid activation or load services.
Remittance Processing
A Third Party who processes money transfer transactions between one individual to another.
Risk reporting/control services
A Third Party who provides transaction screening to identify risks or fraudulent transactions and has access to cardholder data.
Settlement The reporting and transfer of Settlement Amounts owed by one Client to another, or to Visa, as a result of Clearing.
Statement Processing and/or printing
A Third Party who processes cardholder data for the purposes of printing cardholder statements or actually prints the statements.
Solicitation A Third Party that solicits for new cardholders or merchants.
Switching A Third Party that processes Visa transactions and routes the transactions from the merchant to the issuer of the card.
Third Party A Third Party is a non-Visa client that is not directly connected to VisaNet and provides payment-related services, directly or indirectly, to a Visa client.
V.I.P. System VisaNet Integrated Payment System. The Online processing
21
Agent Registration Program Guidelines
component of VisaNet.
Visa Client An organization which is a client of Visa and which issues cards and/or signs merchants.
VisaNet The systems and services, including the V.I.P. System, Visa Authorization, European Customized Services, and BASE II, through which Visa delivers Online Financial Processing, Authorization, Clearing, and Settlement services to members.
VisaNet Processor (VNP)
A member or Visa-approved non-member that is directly connected to VisaNet and provides Authorization, Clearing, Settlement, or payment-related processing services for merchants or members. The Visa International Operating Regulations also refer to a V.I.P. System User as a type of VisaNet Processor.
22