Note: for information about PCI Security Standards, visit the PCI Security Standards FAQ page located here: https://www.pcisecuritystandards.org/faqs
Who needs to register?
- Mastercard, Visa. and certain other networks require registration for all entities providing merchant processing solicitation activities, managed services and/or storing, processing or transmitting cardholder data for or on behalf of their merchants or agents.
I’m just the developer of a shopping cart that is integrating to your gateway and I do not handle the cardholder data, the merchant will. Do I still need to register?
- It depends …If your business is not transmitting, processing, storing or has the ability to impact the cardholder data, your business is not required to register. In other words, if you are only developing the payment application or page and will not participate in transmitting, processing or storing the cardholder data, you are not required to register. However, if you are developing the payment application or page and the cardholder data is passing through your system (i.e. server, website, database) to facilitate the payment application or page, you will be required to register. To be sure, please reach out to us to help you evaluate your need to register.
Is registration required for all third-party service providers?
- Yes. Mastercard and Visa rules generally require all direct or indirect third-party service providers servicing an acquirer's processing customer to be registered.
What happens if I ignore this and don’t register?
- If a third-party service provider is identified by the payment networks as not registered, Worldpay may be subject to fines and/or increased registration fees which will be passed through to the service provider.
What constitutes cardholder data?
- Cardholder data includes:
- Primary Account Number (PAN)
- Cardholder Name
- Expiration Date
- Service Code
- Sensitive Authentication Data includes:
- Full track data (magnetic-stripe data or equivalent on a chip)
- PINs/PIN blocks
- The primary account number is the defining factor for cardholder data. If cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the cardholder data environment (CDE), they must be protected in accordance with applicable PCI DSS requirements
Some acquirers don’t charge for this, why do you?
- While Worldpay cannot speak to another acquirer's policies, the payment brand networks assess a fee for each service provider registration submitted. Worldpay passes this registration fee on to the service provider.
How long does it take to be registered?
- A complete registration application generally takes 5 Business days. Delays occur when the application is not filled out completely.
What are the informational requirements for registration?
- Basic background, financial and operational information is required along with validation of PCI compliance.
Do I need an agreement with Worldpay to be registered?
- Terms governing your registration through Worldpay can be found here. No other agreement is required. All third-party service providers must have an agreement in place with a merchant, independent sales organization (ISO) or payment facilitator that is processing with Worldpay.
Do I have to register through each acquirer I work with?
- Yes. Third-party service providers that provide services directly to merchants, or indirectly through independent sales organizations or payment facilitators, are required to be registered under each acquirer that those merchants use in their payment processing.
Do I have to register in each region or country in which I do business?
- Yes, a third-party service provider must be registered in each region.
How do I get added the Visa Service Provider Registry and the Mastercard SDP Compliant Registered Service Provider Lists?
- To be included on the Visa Global Registry the service must be registered as a third-party service provider with Visa and validate PCI DSS compliance with an on-site assessment by a PCI SSC listed Qualified Security Assessor (QSA)
- To be on the Mastercard SDP Compliant Registered Service Provider List, Mastercard will only list those third-party service providers that are registered with the Mastercard Service Provider Registration Team and have also successfully completed an annual onsite assessment.
Can I get registered as a third-party service provider before I validate PCI DSS compliance?
- Visa – Yes. For existing or previously registered service providers: Visa clients must provide Visa with the Qualified Security Assessor (QSA) company name (if applicable) and the planned validation date to suspend fine assessments. For new service providers (never registered): Visa clients must provide Visa with a QSA engagement letter on the QSA’s letterhead
- Mastercard – Yes. A PCI action plan is required. The target dates for compliance, in relation to any area of deficiency, must be adhered to. Noncompliance with the dates indicated in the PCI Action Plan may result in the application of noncompliance assessments.
If data is encrypted or masked, do I need to be PCI certified?
- It depends. Per the PCI Security Standards Council FAQ, “ Where encrypted cardholder data is shared with a third party, responsibility for the data generally remains with the entity or entities with the ability to decrypt the data or impact the security of the encrypted data. Determining which party is responsible for specific PCI DSS controls will depend on a number of factors, such as who has access to the decryption keys, the role performed by each party, and the agreement between parties. Responsibilities should be clearly defined and documented to ensure both the third-party and the entity providing the encrypted data understand who is responsible for which security controls.”
Where can I find copies of the required PCI DSS validation documentation and more information on PCI scope and applicability?
Where can I find information about becoming Qualified Integrator and Reseller (QIR) certified?
How much does registration cost and are there any renewal fees?
- Please see our fees page located here.
Why do I have to pay to be registered?
- Registration fees are assessed by the payments brand networks; which are either paid upfront or passed through to the service provider.
How am I going to be billed for the registration fee?
- Prior to registration, Worldpay will require payment of the registration fee.
- For the annual renewal fees, Worldpay will send you an invoice.
Some acquirers don’t require this, why do you?
- Registration is mandated by the payments brand networks and Worldpay is bound to operate within the their regulations. It is our commitment to honor our contractual obligations and maintain integrity within the payment card industry.