Visa Global Registry of Service Providers Explained

What the Visa Global Registry of Service Providers actually is

The Visa Global Registry of Service Providers is a public directory Visa maintains of every third-party agent that has passed Visa's compliance vetting under the Account Information Security (AIS) programme. If your business stores, processes, or transmits Visa cardholder data on behalf of merchants, acquirers, or issuers, Visa expects you to be on this list. Merchants and acquirers use it as a vendor due-diligence checkpoint before signing a contract.

The registry isn't the same as PCI DSS compliance on its own. PCI DSS is the underlying security standard. Registration with Visa is an extra layer on top: you have to be PCI DSS validated, you have to be enrolled in Visa's AIS programme, and you have to submit your validation documents to Visa each year. Pass all three and Visa lists you. Miss your annual deadline and you drop off.

Who needs to be on it

Visa defines a service provider as any third party that touches cardholder data on behalf of someone else in the payment chain. That covers a wide set of business models:

• Payment gateways and processors
• Hosted call-centre platforms and IVR providers
• DTMF masking and pause-and-resume call-recording vendors
• Managed hosting providers for in-scope systems
• Tokenisation and vaulting services
• Card-on-file storage providers
• Fraud screening services that receive PAN data
• Print and statement bureaux that handle card data

If you only handle cardholder data for your own merchant account and don't act on behalf of anyone else, you're a merchant, not a service provider. You don't register. You complete the appropriate SAQ or a merchant ROC instead.

How to get listed

Getting on the registry is a three-step process, and all three steps run on an annual cycle.

1. Pass a PCI DSS assessment as a Level 1 service provider

Any service provider that stores, processes, or transmits more than 300,000 Visa transactions per year is Level 1. Level 1 service providers must have a Report on Compliance (ROC) signed off by a Qualified Security Assessor (QSA). Smaller providers handling fewer than 300,000 transactions can self-assess with the right SAQ-D for service providers, but Visa still requires the ROC route for registry listing in most categories.

2. Enrol in Visa's AIS programme

Enrolment is done through your acquirer or directly with Visa, depending on your region. You submit your company details, the services you provide, and the scope of cardholder data you handle. Visa reviews and confirms you're eligible to be assessed against their requirements.

3. Submit your AOC and supporting documents to Visa

Once your QSA signs off the ROC, your Attestation of Compliance (AOC) and the relevant sections of the ROC go to Visa. Visa reviews them and, if everything checks out, you appear on the public registry within a few weeks. The listing shows your company name, the services covered, your assessment date, and your validity expiry.

The annual renewal cycle

Your listing is valid for one year from the date of your AOC. To stay on the registry, you have to repeat the full assessment every year and resubmit. There's no grace period worth relying on — if your AOC expires and the new one isn't lodged with Visa, you drop off the registry and merchants checking the list will see you as non-compliant. Most providers schedule their assessment fieldwork at least three months before expiry to give the QSA, Visa, and any remediation work enough breathing room.

Why merchants check the registry

For a merchant, hiring a service provider that touches cardholder data is one of the easier ways to expand your own PCI scope by accident. If your vendor is breached, you can end up answering for it under your own merchant agreement.

Checking the Visa registry before you sign is cheap insurance. It tells you three things:

• The provider is compliant today. Their AOC is current, signed by a QSA, and accepted by Visa.
• The services you're buying are actually in scope. The registry listing shows which specific services were assessed. A vendor might be listed for tokenisation but not for call-centre payment capture — read the scope.
• You have evidence for your own assessor. When your QSA asks for proof of vendor due diligence under PCI DSS Requirement 12.8, the registry entry plus a copy of the vendor's AOC is the cleanest answer you can give.

What if a vendor isn't on the registry?

Not every PCI-compliant vendor appears on the Visa registry, and that's not automatically a red flag. Some businesses pass their PCI DSS assessment but don't enrol in AIS because they don't serve enough Visa volume to warrant it, or they only serve issuers and not merchants. Ask the vendor directly for their current AOC and the name of their QSA. If they can't produce one, walk away.

A vendor who used to be on the registry and isn't anymore is a different conversation. That usually means they missed their renewal. Ask why and when the next AOC is expected.

Visa registry vs Mastercard CSPCDP

Mastercard runs an equivalent list called the Compliant Service Provider Customer Database Portal (CSPCDP). Most service providers handling card data appear on both, because most acquirers and merchants will check both before contracting. American Express runs its own data security operating policy with a similar attestation requirement but no public registry — you have to ask the vendor for their AOC directly. If you're vetting a vendor, plan to check Visa, Mastercard, and request Amex evidence separately.