Third Party Agent Registration Program – TPA Types and Functional Descriptions
9 min
Independent Sales Organizations (ISO)
ISO Merchant (ISO – M) – Conducts merchant account or transaction processing solicitation, sales, customer service, merchant training activities and / or solicitation and sales of POS terminals and / or mPOS devices. Does not have access to the merchant cardholder data (CHD) or the cardholder data environment (CDE). May also sell or resell gateway services (i.e. white label gateway) in conjunction with selling the merchant account and allow the merchant to implement a payment system solution without installing or configuring their own system.
ISO Cardholder (ISO – C) – Conducts cardholder solicitation, card application processing services and/or customer service activities. May be sponsored for administration of a debit/credit program on behalf of an issuer.
ISO ATM (ISO – ATM) – Acts on behalf of clients to sell and deploy and/or service qualified ATMs. A “qualified” ATM is an ATM owned by or sponsored by a valid Visa or Plus client.
ISO Prepaid (ISO – PP) – Solicits other entities (i.e., merchants, corporate clients, government entities, other businesses etc.) to sell, activate or load prepaid cards on behalf of an issuer. Prepaid card sales and/or activation is a primary function of their business. May be sponsored for administration of a prepaid program on behalf of an issuer.
ISO High Risk (ISO – HR) – Contracts with an acquirer to provide merchant solicitation, sales, customer service, merchant transaction solicitation and/or customer training to “high– brand risk merchants”.
Encryption Support Organizations (ESO)
Performs cryptographic key management services to support clients’ ATM programs or to deploy Point of Sale PIN Entry Devices (POS PEDs) or PIN pads. ATM and PIN Pad manufacturers that manage various cryptographic key management responsibilities for clients are also considered ESOs.
An ESO maintains a business relationship with a client that includes:
- Loading or injecting encryption keys into ATMS, terminals or PIN Pads
- Loading software into a terminal or ATM which will accept Visa branded cards
- Merchant help desk support, including reprogramming of terminal software
Entities using vendor supplied Remote Key Distribution techniques must ensure that such vendors are registered with Visa as ESOs.
Third-Party Servicers (TPS) Visa Third Party Agent Functional Descriptions
Contracted by issuing and/or acquiring clients for payment related services such as:
- Payment processing: Transaction processing (authorization and clearing and settlement messages, batch transmissions and data capture), virtual card processing, PIN transaction processing.
- Value added services: Chargeback / exception processing, secure password delivery, fraud control, fraud verification services, cardholder accounting, statement processing, remittance processing, data warehousing capture, customer service, risk reporting/service, loyalty programs, rewards programs, interactive voice recognition, skip tracing services.
- Datacenter hosting: Access to the customer’s logical space used to store their payment processing system and may provider of additional services such helping their customer maintain the server, and provide power, fire suppression, cameras, biometric scans, physical security.
- Secure storage facilities: Secure back-up, storage or destruction of electronic and physical media for financial institutions, companies or service providers that have CHD assets but do not electronically store, process or transmit card data.
- Managed services: Provides services within a third party’s CDE, where the managed service provider has access to any cardholder data. Managed services providers usually manage the compliance obligations on behalf of clients for specific requirements within the PCI DSS: application, system management, operations, network management and may perform day-today application, system management, operations with access to cardholder data.
- Monitoring services: For critical security alerts – Intrusion Detection Systems (IDS), anti-virus, change-detection, compliance monitoring, audit-log monitoring, etc.
- Network service provider: Cloud & Infrastructure services: network, server, and endpoint management & monitoring.
- Managed firewall/router provider: Firewall management, migration, monitoring.
- Statement printing Call center provider: Call centers accessing CHD.
- Token service providers: Transform cardholder data with tokenization or encryption.
- Corporate T&E charge reporting: Billing, expense reporting, and loyalty/rewards for corporate card issuers.
- Acquirer token service providers: Tokenization solution provider that has overall responsibility for the design and implementation of a specific tokenization solution, and (directly or indirectly through outsourcing) manages tokenization solutions for its customers and/or manages corresponding responsibilities. May manage tokens for merchants and acquirers. Includes Token as a Service (TaaS) providers and token requestor entities.
- POS services: Deploys and or services POS terminals/ATMS. Service may include performing maintenance, installation, software or hardware upgrades, replacing POS terminals/ATMs and accessing the CDE and CHD (remote or physical) but no access to PIN data.
- Software as a Service (SaaS): Hosting provider that allows customers to use the provider’s apps running on provider’s cloud infrastructure (hosting of servers, storage, and network components).
- Platform as a Service (PaaS): Hosting provider where customer deploys consumer-created or acquired applications onto provider’s cloud infrastructure (hosting of purchased applications).
- Infrastructure as a Service (IaaS): Hosting provider that allows the customer to deploy and control its own software on provider’s cloud infrastructure (Infrastructure as a Service – cloud infrastructure hosting of proprietary applications.
Merchant Servicers (MS)
May be contracted by the merchant directly, not with the merchant’s acquirer to provide specific merchant payment services including but not limited to:
- Payment Gateways and online shopping cart.
- Payment processing: Transaction processing (authorization and clearing and settlement messages, batch transmissions and data capture), virtual card processing.
- POS services: Deploys and or services POS terminals/ATMS. Service may include performing maintenance, installation, software or hardware upgrades, and replacement for POS terminals/ATMs and has access to the CDE and CHD (remote or physical) but no access to PIN data.
- Value added services: Chargeback / exception processing, secure password delivery, fraud control, fraud verification services, cardholder accounting, statement processing, remittance processing, data warehousing capture, customer service, risk reporting/service, loyalty programs, rewards programs, interactive voice recognition, skip tracing services.
- 3DS Service Provider: Deploys a merchant plug-in/MPI that provides acquiring side cardholder authentication.
- Datacenter hosting: Access to the customer’s logical space used to store their payment processing system or provider of additional services such helping their customer maintain the server, and provide power, fire suppression, cameras, biometric scans, physical security.
- Secure storage facilities: Secure back-up, storage or destruction of electronic and physical media for financial institutions, companies or service providers that have CHD assets but do not electronically store, process or transmit card data.
- Managed services: Provides services within a third party’s CDE, where the managed service provider has access to any cardholder data. Managed services providers usually manage the compliance obligations on behalf of clients for specific requirements within the PCI DSS: application, system management, operations, network management and may perform day-today application, system management, operations with access to cardholder data.
- Monitoring services: For critical security alerts – Intrusion Detection Systems (IDS), anti-virus, change-detection, compliance monitoring, audit-log monitoring, etc.
- Network service provider: Cloud & Infrastructure services: network, server, and endpoint management & monitoring.
- Managed firewall/router provider: Firewall management, migration, monitoring.
- Statement printing.
- Call center provider: Call centers accessing CHD.
- Token service providers: Transform cardholder data with tokenization or encryption.
- Corporate T&E charge reporting: Billing, expense reporting, and loyalty/rewards for corporate card issuers.
- Acquirer token service providers: Tokenization solution provider that has overall responsibility for the design and implementation of a specific tokenization solution, and (directly or indirectly through outsourcing) manages tokenization solutions for its customers and/or manages corresponding responsibilities. May manage tokens for merchants and acquirers. Includes Token as a Service (TaaS) providers and token requestor entities.
- Software as a Service (SaaS): Hosting provider that allows customers to use the provider’s apps running on provider’s cloud infrastructure (hosting of servers, storage, and network components).
- Platform as a Service (PaaS): Hosting provider where customer deploys consumer-created or acquired applications onto provider’s cloud infrastructure (hosting of purchased applications).
- Infrastructure as a Service (IaaS): Hosting provider that allows the customer to deploy and control its own software on provider’s cloud infrastructure (Infrastructure as a Service – cloud infrastructure hosting of proprietary applications.
Corporate Franchise Servicers (CFS)
Provide, manage or control an environment/ connectivity to franchisees that may or may not host or provide payment card payment services (payment applications, inventory management systems, etc.). The CFS is a corporate entity or franchisor that provides, manages or controls a centralized or hosted network environment irrespective of whether Visa cardholder data is being stored, transmitted or processed through it. Although it may or may not host or provide card payment services, more importantly, the insecurity of the shared network can affect an independent location or franchisee and that of its own cardholder data environment if accessed by unauthorized parties. Typically, managed services are provided to the franchisees such as property management systems, inventory control systems, menu distribution systems, etc. CFSs are not directly connected to VisaNet.
Payment Facilitators (PF)
A Payment Facilitator (PF) – also known as a “master merchant” or “merchant aggregator” – is a third-party agent that can both (i) sign a merchant acceptance agreement with a seller on behalf an acquirer, and (ii) receive settlement proceeds from an acquirer, on behalf of the underlying seller (known as a Sponsored Merchant or “submerchant”); an entity that performs either one of these functions is considered a PF, even if they don’t perform both functions. Payment Facilitators may have access to cardholder data (CHD) or the cardholder data environment (CDE). Service Providers that protect, secure, store, process, or transmit Visa cardholder data and or PIN and are contracted with an acquirer to provide Visa payment services to sponsored merchants such as:
- Solicit sponsored merchant for Visa acceptance.
- Contracts with sponsored merchants to enable Visa payment acceptance.
- Monitors compliance of sponsored merchant activity in accordance with the Visa Rules.
- Receives settlement of transaction proceeds from the acquirer on behalf of the sponsored merchant.
- Must be located within the acquirer’s jurisdiction.
- Cannot be listed on the Terminated Merchant File (TMF), or similar files.
- Cannot act as a sponsor for another Payment Facilitator.
- Excluded merchant types (but may be signed under direct acquiring agreements): Internet pharmacies, Internet pharmacy referral sites, and outbound telemarketers.
High Risk Internet Payment Facilitators (HRIPF)
Contracts with acquirers to provide payment services to high–risk merchants, high–brand risk merchant, high–risk sponsored merchants or high– brand risk sponsored merchants. A High Risk Internet Payment Facilitator (HRIPF) is an entity that enters into a contract with an acquirer to provide payment services to high–risk merchants, high– brand risk merchant, high–risk sponsored merchants or high–brand risk sponsored merchants and signs one or more merchants belonging to high–brand risk merchant category codes, as defined in the Visa Rules.
Marketplaces
A Marketplace is an online entity that brings together customers and sellers on a single, Marketplace-branded platform (i.e. e-commerce website or mobile application), processes transactions and receives settlement2 proceeds on behalf of those sellers; entities that do not process transactions on behalf of sellers are not considered Marketplaces. In this model, it is the Marketplace’s brand that attracts the customer and connects them with sellers operating on the Marketplace’s platform; the customer can see that they are purchasing from the seller on the Marketplace and not the Marketplace itself. Marketplaces are not permitted to operate in a “card present” environment. Refer to Beyond the Acquirer: Additional Visa Acceptance Entities for more details.
Staged Digital Wallet Operators
Digital wallets are software-based systems that (i) store information about a customer’s Visa credentials used to fund the wallet’s account and (ii) are used to make payments – either purchases from sellers or money remittance (i.e. person-toperson “P2P” transfers). Staged Digital Wallets are capable of conducting “back-to-back funding” transactions which permits the customer to undertake transactions with sellers on the digital wallet’s platform when there are not sufficient funds in the digital wallet-assigned account to complete the transaction (which may include a “zero balance”). Refer to Beyond the Beyond the Acquirer: Additional Visa Acceptance Entities for more details.
Distribution Channel Vendors (DCV)
Packaging, storing and shipping of nonpersonalized Visa products (e.g. warehouses, wholesalers, logistics companies). For more information please contact AVPamericas@visa.com.
Instant Card Personalization and Issuance Agent (ICPIA)*
A third party** that performs instant card personalization issuance for the issuer.
* ICPIA employer or government managed programs are excluded from the agent registration requirement – however must comply with remaining requirements listed in the VIOR Agents section.
** Retailer and kiosk locations are included in this definition.
For more information please contact AVPamericas@visa.com.
Dynamic Currency Conversion (DCC)
Contracts with an acquirer to provide currency conversion services to sponsored merchants at checkout.
For more information please contact DCCcompliance@visa.com.
Visa Recognized Third Parties – Does Not Require Registration
Qualified Integrator & Reseller: Sell, install, and/or service payment applications on behalf of software vendors or others. Integrator services may include: servicing the payment applications (for example, troubleshooting, delivering remote updates, and providing remote support) according to the PA-DSS Implementation Guide and PCI DSS (PCI SSC website, 2014) Technology Solution Integrators – Sell software or provides SaaS (host the software in the cloud or installs applications directly on the server) for a merchant. The integrator’s technology is configured to the gateway’s system. POS Integrators – integrates POS devices/systems and may have remote access for ongoing support.