Visa aligns global Service Provider levels
November 13th, 2008 by admin Posted in Asia-Pacific, Card Brands, Europe, Service ProviderVisa recently announced global PCI DSS deadlines, along with a very nuanced point of service provider alignment. Currently, many of the Visa regions have aligned service provider levels, but not all. For example, in Asia-Pacific the service provider levels vary slightly from those in the US.
On February 1, 2009, all service providers globally will have one set of level definitions, which have some important nuances for smaller service providers.
First, there will be only two levels instead of the earlier three. This means a clearer and easier to understand definition. I consider it to be a streamlined process that clarifies the message.
- Level 1: “VisaNet processors or any service provider that stores, processes and / or transmits over 300,000 transactions per year”
- Level 2: “Any service provider that stores, processes and / or transmits less than 300,000 transactions per year”
This has a large impact on some service providers who are classified as “gateways”. The most basic definition of a gateway is any organization that sits between a merchant and their acquirer/processor for the purpose of authorization and settlement. This could also include an e-commerce shopping cart or smaller independent sales organization (if they provide auth/settlement.) If these smaller companies processed even ten transactions per year they were considered a gateway and required a Level 1 audit. Starting February 2009, their level will be based solely on transaction volume.
Second, the documentation required for submission will be reduced to expedite the review process. Visa states the following items related to document submission and review:
- Visa will only require submission of an executed Attestation of Compliance Form and the “Executive Summary” section of the service provider’s Report on Compliance (ROC) to demonstrate full PCI DSS compliance as a Level 1 service provider.
- Level 2 service providers will submit version D of the Self-Assessment Questionnaire (SAQ).
- Issuers and acquirers are responsible for reviewing the accuracy of the SAQ.
This means that Visa will not be reviewing the full Report on Compliance (ROC), but instead focus on the Attestation of Compliance Form (available in the Appendix of the PCI DSS Security Audit Procedures.) It will be up to the Acquirers and Issuers to review the accuracy of submitted reports.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
Sorry, comments for this entry are closed at this time.