Effective May 2013
Visa MasterCard Registration Procedures
Visa
Term
ISO
Definition
An organization or individual, which is not a Member, whose
bankcard-related business relationship with a Member
involves any of the following:
* Merchant solicitation, sales, or services
* Merchant Transaction processing solicitation
* Cardholder solicitation or Card application processing
services
* Provides solicitation materials, information on discount
rates, Merchant application forms or data capture equipment
Registration Requirements
*Enhanced ISO/Service Provider
Risk Standards must be
administered during the
registration process, but does not
need to be submitted to Visa
*Must be PCI compliant if ISO
has access to, stores, or transmits
cardholder data
Subcontracting occurs as in the following example:
A 1099 or W2 employee of a registered ISO which submits
applications through a different registered ISO to facilitate
acceptance of "hard to place" Merchants.
Sub-Independent Sales
Organization (ISO)-selling
under the name of primary
ISO
Initial Registration
Fees
Annual Renewal
Fees
Due DiligenceCredit Review
Yes- Full Due
Diligence
Member Bank
Penalties for Non-Registration
Sign-off Required
Yes
First Violation - $10,000
Second Violation in a rolling 60-month period-$25,000
Third Violation in a rolling 60-month period-$50,000
Fourth Violation in a rolling 60-month period-$100,000
In addition to the violations, Visa assesses an additional fine of
US $20,000 for each 30-calendar-day period, or portion thereof,
during which a U.S. Member fails to:
• Register a Third Party, as specified in "Third Party Registration
Program - U.S. Region"
• Notify Visa of a change, as specified in "Third Party Change
Notification - U.S. Region"
If a U.S. Member repeatedly fails to comply with registration or
notification requirements in a 60month rolling period, Visa may assess the Member fines in
addition to the US $20,000 fine. Such
fines may be assessed at Visa discretion and are cumulative.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
$5,000 - for the
$5000 - for the
N/A
Primary ISO only - Primary ISO only not for the Sub-ISO not for the Sub-ISO
N/A
First Violation - $10,000
Second Violation in a rolling 60-month period-$25,000
Third Violation in a rolling 60-month period-$50,000
Fourth Violation in a rolling 60-month period-$100,000
In addition to the violations, Visa assesses an additional fine of
US $20,000 for each 30-calendar-day period, or portion thereof,
during which a U.S. Member fails to:
• Register a Third Party, as specified in "Third Party Registration
Program - U.S. Region"
• Notify Visa of a change, as specified in "Third Party Change
Notification - U.S. Region"
If a U.S. Member repeatedly fails to comply with registration or
notification requirements in a 60month rolling period, Visa may assess the Member fines in
addition to the US $20,000 fine. Such
fines may be assessed at Visa discretion and are cumulative.
$5,000
$5,000
N/A
N/A
Sub-Contracting is not
N/A
permitted per Visa
ISO employees must either be (i)
W2 employees of the registered
ISO or (ii) registered 1099
employees of the registered ISO or
Visa Member and solicit only
under the registered ISO name.
ISOs can only accept Merchant
applications from their W2
employees or Visa registered 1099
employees.
N/A
Independent Contractor- An Independent Contractor has been eliminated by Visa as of N/A
individual (1099 employee May, 2005
of either a Member or an
ISO)
Sub-Contractor - not
permitted per Visa
Forms
1 - BAMS Due
Diligence Forms
2 - Visa Online
Membership
Management
System
An organization or individual, which is not a Member, whose N/A
bankcard related business relationship with a Member is
*Merchant solicitation, sales or service and/or
*Cardholder solicitation.
**Sub may not use its name in the Sales process. They
must sell only under the registered ISO name.
N/A
Effective May 2013
Sub-Independent Sales
An organization or individual, which is not a Member, whose
Organization (ISO)-selling bankcard related business relationship with a Member is
under their own name
*Merchant solicitation, sales or service and/or
*Cardholder solicitation.
Visa MasterCard Registration Procedures
*Enhanced ISO/Service Provider
Risk Standards must be
administered during the
registration process, but does not
need to be submitted to Visa
*Must be PCI compliant if ISO
has access to, stores, or transmits
cardholder data
1 - BAMS Due
Diligence Forms
2 - Visa Online
Membership
Management
System
$5,000
$5,000
Yes-Full Due
Diligence
Yes
First Violation - $10,000
Second Violation in a rolling 60-month period-$25,000
Third Violation in a rolling 60-month period-$50,000
Fourth Violation in a rolling 60-month period-$100,000
In addition to the violations, Visa assesses an additional fine of
US $20,000 for each 30-calendar-day period, or portion thereof,
during which a U.S. Member fails to:
• Register a Third Party, as specified in "Third Party Registration
Program - U.S. Region"
• Notify Visa of a change, as specified in "Third Party Change
Notification - U.S. Region"
If a U.S. Member repeatedly fails to comply with registration or
notification requirements in a 60month rolling period, Visa may assess the Member fines in
addition to the US $20,000 fine. Such
fines may be assessed at Visa discretion and are cumulative.
Effective May 2013
Visa MasterCard Registration Procedures
Third-Party Servicer (TPS) An organization that:
* Has a Direct contractual relationship with the Member
* Is not a Member of Visa USA & is not directly connected to
VisaNet
* Examples include but are not limited to:
• Gateways from a Merchant to a Processor
• Provider of Back Office Support
• Supporting loyalty programs
• Electronic Data Capture
• Fraud servicing, monitoring or scrubbing
• Credit Underwriting (issuing)
• Collections
• Voice authorization and routing
• Call referral processing/telemarketing
• Clearing file preparations and submissions
• Settlement processing
• Cardholder and merchant statement preparation
• Chargeback processing
• Merchant help desk support
• Loading software into terminals accepting cards
• Loading or injecting encryption keys into terminals
or PIN pads
*Enhanced ISO/Service Provider
Risk Standards must be
administered during the
registration process, but does not
need to be submitted to Visa
*Must be PCI compliant if ISO
has access to, stores, or transmits
cardholder data
1 - BAMS Due
Diligence Forms
2 - Visa Online
Membership
Management
System
$1,000 - per
member effective
2013
$1,000 - per
member effective
2013
Yes-Full Due
Diligence
Yes
First Violation - $10,000
Second Violation in a rolling 60-month period-$25,000
Third Violation in a rolling 60-month period-$50,000
Fourth Violation in a rolling 60-month period-$100,000
In addition to the violations, Visa assesses an additional fine of
US $20,000 for each 30-calendar-day period, or portion thereof,
during which a U.S. Member fails to:
• Register a Third Party, as specified in "Third Party Registration
Program - U.S. Region"
• Notify Visa of a change, as specified in "Third Party Change
Notification - U.S. Region"
If a U.S. Member repeatedly fails to comply with registration or
notification requirements in a 60month rolling period, Visa may assess the Member fines in
addition to the US $20,000 fine. Such
fines may be assessed at Visa discretion and are cumulative.
Merchant Servicer (MS)
*Enhanced ISO/Service Provider
Risk Standards must be
administered during the
registration process, but does not
need to be submitted to Visa
*Must be PCI compliant if ISO
has access to, stores, or transmits
cardholder data
1 - BAMS Due
Diligence Forms
2 - Visa Online
Membership
Management
System
$1,000 - per
member effective
2013
$1,000 - per
member effective
2013
Yes-Full Due
Diligence
Yes
First Violation - $10,000
Second Violation in a rolling 60-month period-$25,000
Third Violation in a rolling 60-month period-$50,000
Fourth Violation in a rolling 60-month period-$100,000
In addition to the violations, Visa assesses an additional fine of
US $20,000 for each 30-calendar-day period, or portion thereof,
during which a U.S. Member fails to:
• Register a Third Party, as specified in "Third Party Registration
Program - U.S. Region"
• Notify Visa of a change, as specified in "Third Party Change
Notification - U.S. Region"
If a U.S. Member repeatedly fails to comply with registration or
notification requirements in a 60month rolling period, Visa may assess the Member fines in
addition to the US $20,000 fine. Such
fines may be assessed at Visa discretion and are cumulative.
An organization that:
* Has a Direct contractual relationship with the Merchant
* Is not a Member of Visa USA Is not directly connected to
VisaNet
* Provides response processing for Visa Members related to
program solicitations, transaction processing, data capture,
and/or other administrative functions, such as chargeback
processing, risk/security reporting, and customer service. See
Third-Party Servicer (above) for additional examples
Effective May 2013
Visa MasterCard Registration Procedures
Encryption and Support
Organization (ESO)
An organization that is not a Member, whose debit business
relationship involves any of the following activities:
* Loading software into an ATM or terminal that accepts
cards
* Loading or
injecting encryption keys into an ATM or terminal/PIN Pad
*Providing help-desk support that includes re-programming of
ATM/terminal software
* Generating, storing, or loading/injecting cryptographic keys
into PIN Pads or ATMS
* Distributing new DES
keys or destroying old DES keys
* Decommission or commissioning PIN-entry devices
* Providing general key custodial support services
*Enhanced ISO/Service Provider
Risk Standards must be
administered during the
registration process, but does not
need to be submitted to Visa
*Must be PCI PIN compliant providing a current TG-3 and Visa
PIN Security Audit
1 - BAMS Due
Diligence Forms
2 - Visa Online
Membership
Management
System
$1,000 - per
member effective
2013
$1,000 - per
member, effective
2013
Yes-Full Due
Diligence
Yes
First Violation - $10,000
Second Violation in a rolling 60-month period-$25,000
Third Violation in a rolling 60-month period-$50,000
Fourth Violation in a rolling 60-month period-$100,000
In addition to the violations, Visa assesses an additional fine of
US $20,000 for each 30-calendar-day period, or portion thereof,
during which a U.S. Member fails to:
• Register a Third Party, as specified in "Third Party Registration
Program - U.S. Region"
• Notify Visa of a change, as specified in "Third Party Change
Notification - U.S. Region"
If a U.S. Member repeatedly fails to comply with registration or
notification requirements in a 60month rolling period, Visa may assess the Member fines in
addition to the US $20,000 fine. Such
fines may be assessed at Visa discretion and are cumulative.
VisaNet Processor
Effective June 6, 2007, a Member, or Visa approved nonmember who is
directly connected to VisaNet, that provides Authorization,
Clearing, or Settlement services for
Merchants and/or Members.
Referral
Visa ISO Guide: A referral occurs when an individual or organization recommends that a Merchant consider processing credit transactions through a specific Visa Member.
The individual or organization may provide (i) general information regarding credit card processing and (ii) the Visa Member's phone number for further information. The referring entity may not quote rate, fees, terms and conditions. A referral can only be made by an
individual whose primary function is not merchant solicitation. Individuals who refer merchants to a particular Visa Member to obtain credit card processing are not required to register in the Agent Registration Program.
Effective May 2013
Visa MasterCard Registration Procedures
MasterCard
Definition
Registration Requirements
ISO
Term
An ISO is any MSP that provides Program Services, other
than transaction and cardholder processing, to a MasterCard
member in furtherance of the member's Program.
* By way of example and not limitation, such services include
merchant solicitation, cardholder solicitation, and customer
service
*ISO MSP application - thru MC
Connect.MRP System, executed
by MSP
*Must be PCI compliant if ISO
has access to, stores, or transmits
cardholder data
1 - BAMS Due
Diligence Forms
2 - MasterCard
Connect/MRP
System
$5,000
$5,000
Independent ContractorMasterCard does not
acknowledge as a MSP
N/A
N/A
N/A
N/A
N/A
Sub Contractor - not
N/A
permitted by MasterCard
N/A
N/A
N/A
An organization or individual, which is not a Member, whose N/A
bankcard related business relationship with a Member is:
* Merchant solicitation, sales or service and/or
* Cardholder solicitation.
**Sub may not use its name in the Sales process. They
must sell only under the registered ISO name.
N/A
Sub-Independent Sales
Organization (ISO)-selling
under the name of primary
ISO
Forms
Initial Registration
Fees
Annual Renewal
Fees
Due DiligenceCredit Review
Yes, Full Due
Diligence
Member Sign-off
Required
Penalties for Violation
Yes
A Principal and Association that fails to comply with the Service
Provider registration requirements, including the failure to
complete a Service Provider
registration within 60 days as set forth in the MC Rules, is
subject to noncompliance assessments of up to USD 25,000 for
each 30-day period of noncompliance.
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
A Principal and Association that fails to comply with the Service
Provider registration requirements, including the failure to
complete a Service Provider
registration within 60 days as set forth in the MC Rules, is
subject to noncompliance assessments of up to USD 25,000 for
each 30-day period of noncompliance.
$5,000
Sub Independent Sales
An ISO is any MSP that provides Program Services, other
Organization (ISO)-Selling than transaction and cardholder processing, to a MasterCard
under their own name
member in furtherance of the member's Program.
* By way of example and not limitation, such services include
merchant solicitation, cardholder solicitation, and customer
service
*ISO MSP application - thru MC
Connect/MRP System, executed
by MSP
*Must be PCI compliant if ISO
has access to, stores, or transmits
cardholder data
1 - BAMS Due
Diligence Forms
2 - MasterCard
Connect/MRP
System
$5,000
Yes, Full Due
Diligence
Yes
A Principal and Association that fails to comply with the Service
Provider registration requirements, including the failure to
complete a Service Provider
registration within 60 days as set forth in the MC Rules, is
subject to noncompliance assessments of up to USD 25,000 for
each 30-day period of noncompliance.
Type II Third-Party
Processor (TPP)
*ISO MSP application - thru MC
Connect/MRP System, executed
by MSP
*Must be PCI compliant if ISO
has access to, stores, or transmits
cardholder data
1 - BAMS Due
Diligence Forms
2 - MasterCard
Connect/MRP
System
$5,000 per Member $5,000 per Member Yes, Full Due
Diligence
Yes
A Principal and Association that fails to comply with the Service
Provider registration requirements, including the failure to
complete a Service Provider
registration within 60 days as set forth in the MC Rules, is
subject to noncompliance assessments of up to USD 25,000 for
each 30-day period of noncompliance.
A TPP is an MSP that performs transaction and cardholder
processing services for one or more members (such services
are referred to as "TPP" Services) and is contracted by the
Member.
* Program Services include, but are not limited to, terminal
operation, authorization routing, voice authorization, gatway
and switching services, call referral processing, electronic data
capture, clearing file preparation and submission, settlement
processing (excluding possession,ownership,or control of
settlement funds, which are prohibited), cardholder and
merchant statement preparation, and chargeback processing
Effective May 2013
Visa MasterCard Registration Procedures
Type I Third Party
Processor (TPP)
A TPP is defined as a Member Service Provider (MSP) that
performs transaction and cardholder processing Program
Services.
* Type I TPPs generally are those that provide Program
Service to a large number of
Members or that otherwise could significantly impact the
integrity of the Interchange System.
*A Type I TPP classification is based on, but not limited to,
the annual number of authorized credit and debit transactions
processed by the TPP.
*MasterCard, in its sole discretion, will determine which TPPs
to classify as Type I TPPs.
*ISO MSP application - thru MC
Connect/MRP System, executed
by MSP
*Must be PCI compliant if ISO
has access to, stores, or transmits
cardholder data *A third-party
risk assessment every two years.
•Personal identification number
(PIN) security review annually and
as determined necessary by
MasterCard
•MSP risk operations review (a
Risk Assessment Management
Program
[RAMP] Level 1 review or an
onsite review as determined by
MasterCard) annually
Data Storage Entity (DSE)
A DSE is defined as an entity other than a member,
*Must be PCI compliant
merchant, ISO, or TPP that stores, transmits, or processes
*Registration required
card or transaction data for or on behalf of a merchant, ISO, or
TPP.
Encryption and Support
Organization (ESO)
An ESO is categorized and registered as a DSE ONLY if the
entity is loading/injecting cryptographic keys. If the entity is
performing any additional functions, then they would be
categorized as an ISO and/or TPP and follow their respective
registration requirements as outlined.
1 - BAMS Due
Diligence Forms
2 - MasterCard
Connect/MRP
System
$50,000
$50,000
N/A
N/A
After MasterCard identifies a processor as a Type I TPP and
notifies such processor accordingly, MasterCard will grant the
processor 90 days from
the notification date to provide documentation required under the
Type I TPP Evaluation Program rules.
Failure to provide the required documentation to MasterCard
within 90 days of the notification date will result in a
noncompliance assessment of USD 25,000 each month until such
documentation is received.
Otherwise, MasterCard will reclassify the processor as a Type II
TPP.
1 - BAMS Due
Diligence Forms
2 - MasterCard
Connect/MRP
System
N/A
N/A
Yes, Full Due
Diligence
Yes
A Principal and Association that fails to comply with the Service
Provider registration requirements, including the failure to
complete a Service Provider
registration within 60 days as set forth in the MC Rules, is
subject to noncompliance assessments of up to USD 25,000 for
each 30-day period of noncompliance.
DSE - N/A
DSE - N/A
Yes, Full Due
Diligence
Yes
A Principal and Association that fails to comply with the Service
Provider registration requirements, including the failure to
complete a Service Provider
registration within 60 days as set forth in the MC Rules, is
subject to noncompliance assessments of up to USD 25,000 for
each 30-day period of noncompliance.
*Must be PCI compliant
1 - BAMS Due
*Registration required - based on Diligence Forms
functions being performed
2 - MasterCard
Connect/MRP
System