Who Has To Register with Card Brands and be PCI DSS Compliant?
Within the context of the card brand rule, Service Providers are defined as any entity that stores, processes, or transmits cardholder data on behalf of another party or otherwise has the ability to impact the security of another party’s cardholder data or cardholder data environment. Examples of such entities include, but are not limited to: payment gateways, hosting providers, loyalty providers, managed security providers, document storage and destruction companies, integrator resellers, etc. Service providers that participate in these activities are required to be registered with the Card Brands and also demonstrate PCI DSS compliance.
How to Determine the Level of Service Provider Your Company is for PCI Compliance.
Service Providers are grouped into 2 levels which will determine the validation efforts required by the Card Brands. Level 1 Service Providers are those that process over 300,000 Visa branded or MasterCard branded transactions annually, while Level 2 Service Providers are those that process less than that amount annually. Below is a list of required documentation based on level.
- Annual On-Site PCI Data Security Assessment completed by a Qualified Security Assessor (QSA)
- Quarterly Vulnerability Scans
- Attestation of Compliance (AOC) signed by the QSA
- Quarterly Vulnerability Scans
- Annual PCI Self-Assessment Questionnaire (SAQ D-SP)
- Attestation of Compliance (AOC) signed by the service provider
Please note that PCI DSS compliance and validation is an industry wide requirement as outlined in the card brand rules and are not unique or specific to Vantiv, now Worldpay.
How to Register as a Service Provider with the Card Brands (Visa & Masterard)
Once you have completed your PCI DSS validation requirements and are considered PCI compliant you will need to complete registration with the Card Brands (Visa and Mastercard). Registration also allows you to demonstrate compliance and better promote your services to potential clients. In order to register we will need some basic business information included in a registration document we will provide you, along with:
- Articles of Incorporation
- Two years business financials (or business tax returns)
- DBA business license (if different from legal)
Once these documents have been collected by Vantiv, now Worldpay, we will submit on behalf of your company. Each Service Provider is required to register with each acquirer relationship.
To learn more about the challenge and costs of PCI and PA DSS Compliance: https://developer.vantiv.com/community/news-and-communications/blog/2017/01/31/pci-and-pa-dss-compliance-costs-challenges
If you are a partner and need help to navigate these requirements, please feel free to reach out to either the Compliance team (Compliance@mercurypay.com) or Carrie Brubaker directly (Carrie.Brubaker@worldpay.com).
Additional information on PCI Security Standards can be found here.
PCI Council QSA Companies can be found here: https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors
Visa Service Provider information can be found here: https://www.visa.com/splisting/LearnMore.html#pdvsp
Mastercard Service Provider information can be found here: https://www.mastercard.us/en-us/merchants/safety-security/security-recommendations/service-providers-need-to-know.html#ftn2