Visa Service Provider Re-Validation and COVID-19

CompliancePoint
Contact

CompliancePoint

Many companies are listed as PCI compliance service providers on the Visa Service Providers Global Registry. This registry is an annual re-validation for those listed. When a company has not re-validated by their expiration date, their status turns to “yellow,” Then, 30 days/one month later, the status turns to “red.”

Due to COVID-19 and the impact it has had on QSA companies being able to engage with and validate service providers’ PCI compliance, a waiver has been put in place by Visa. The waiver allows all service providers with a re-validation date that expires prior to July 21, 2020, to remain “green” (or in a compliance status). The waiver will be lifted on August 1, 2020, and all service providers will turn “yellow” if they have not re-validated by this date. If re-validation for those providers that had an expiration date prior to July 31, 2020, has not been re-validated by September 1, 2020, their status will turn to “red,” and Visa will continue updating the listing on a monthly basis as it did previous to COVID-19.

New Considerations

There are some considerations that Visa will take into account in order for a service provider to move their re-validation date if they feel it is not attainable in a timely manner:

  1. Significant infrastructure changes (Data center implementations/ migrations)
  2. Scope changes (new applications, services, locations, etc. are in-scope that were not in the prior service provider validation)
  3. Ownership changes (mergers, acquisitions, and/or the sale of a company)

To clarify the points above, for Visa to consider moving a company’s re-validation date, there must be some material reasons as to why the QSA company is not able to engage with, test, and validate the scope of the provider that is under review for PCI compliance. As an example, a change in management at the CEO level does not prevent two organizations from engaging with one another. A change in ownership due to acquisition, however, changes the types of service offerings, business processes, and personnel that will be interviewed, as well as providing evidence to the QSA company for compliance and re-validation.

What to do?

If your company feels it will not be able to meet its Visa re-validation date due to COVID-19 or other extenuating circumstances, provide the below documentation to pcirocs@visa.com :

  1. Letter of Engagement between your company and the QSA company
  2. PCI DSS Prioritized Approach Tool Summary
  3. Additional explanation as to the constraint/limitation of completing the assessment by the re-validation date
  4. The anticipated date of completion that the re-validation date should be reset to

[View source.]

Written by:

CompliancePoint
Contact
more
less

CompliancePoint on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.