For several years now, VISA has maintained a concise, no frills list of PCI DSS compliant service providers on their website. Its intended use was to steer merchants and service providers towards the use of PCI compliant service providers for outsourced services that require the secure handling of cardholder data (e.g., hosting, payment gateway, firewall management, back up). Registration was optional until February 2009 when VISA began mandating that all service providers register.
Successful registration requires that service providers:
- Undergo an annual onsite PCI assessment by a (Qualified Security Assessor) QSA, in essence being validated as level 1 provider regardless of what transaction volumes would have indicated your level to be.
- Fill out an service provider registration application with VISA that includes business licensing and other administrative information,
- Pay a $5,000 registration fee for year one and $2,500 each year after.
Whether or not service providers agree with the registration fee, the requirement is in place. I would make the argument that reducing or waiving the fee would drive more adoption and further level the playing field between the providers.
Regardless, it is worth noting that VISA has put the onus on their clients to ensure that each of the service providers clients do business with are registered with VISA. VISA retains the right to fine any client that uses an unregistered service provider up to $10,000 for every such instance.
So rather than harp on the program or the registration fee, let us take a step back, and look at the opportunities that arise from a service provider registering.
- Irrelevant of whether or not VISA maintains a compliant service provider list, complying with PCI DSS is not optional. As the standard matures and both fines and breaches become more commonplace, adhering to these standards is not a nice to have, it is a must.
- With this list, VISA affords compliant service providers an opportunity to promote their compliant services on a trusted and recognized site that is frequented by many merchants and service providers looking for compliant vendors.
- Compliant service providers have already incurred the cost of an on-site QSA assessment; by registering these service providers will alleviate a significant amount of inquiry from both prospects and their current clients relative to their adherence with PCI DSS.
- $5,000 for the initial fee and $2,500each year after is relatively low when compared to other types of marketing costs. VISA’s site is generally the first stop for assessors and merchants looking for service providers during the RFI process. Try sponsoring a successful booth at a trade show for under $10,000.
The bottom line is that VISA’s approved service provider list is a first stop for merchants and QSAs. As such, this seemingly maligned VISA registration fee is an opportunity in disguise for compliant service providers to promote their services effectively and inexpensively, regardless of size, or services offered. For those organizations with a limited marketing budget and sales reach, the benefits of being listed on the VISA site can be even greater.