You have been recently listed in the Visa Europe Merchant Agents list: https://www.visamerchantagents.com/. How would you define a Merchant Agent and what role do they play in the current payment ecosystem?Merchant agents are those companies that provide payment-related services like processing, storing or transmitting cardholder data (directly or indirectly) and are typically contracted directly by the merchant or retailer, and have no direct relationship with the acquirer or PSP (although the latter may hold a contractual arrangement with a Visa member). These entities may pose a huge risk to the Visa system, and this is the reason why Visa Europe decided to create a tool for the merchant agents to self-register, identify themselves and attest their PCI DSS compliance, dubbed Visa Europe Merchant Agent list. If there are doubts regarding when to register an agent or not, there is a simple way to sort that out. Basically if an entity has access to card data or has a contractual obligation to protect it on behalf of a merchant, they should register. The fact that an agent may have a contractual agreement with a Visa member does not exempt them from the registration requirements.
Could you elaborate a little bit on the registration process (if possible)? What are the requirements you need to meet in order to receive such an accreditation? Do such requirements depend on the company`s business model or any other factors?The registration process is very straightforward: an easy-to-use online tool for electronic registration requiring agents to share with Visa Europe (the data itself is not public) certain business data and information to identify themselves and attest their PCI DSS compliance status. The Merchant Agent obtains its own login credentials which allows it then to also update any information at any time there is a change. Once per year, agents will be requested to update and revalidate their information (registration renewal) to ensure that their registration and their compliance status are always up to date and relevant. The Merchant Agent is fully in control. The amount of data merchant agents have to provide depends on several factors, such as the services they actually do provide, their business model, and most importantly, their PCI DSS compliance status. The more diverse the services are the more items they have to declare. For instance, for Payvision’s registration it took us less than 1 day, but depending on the complexity of your organization and your services it may take you more or much less time. If an agent doesn’t meet the requirements, Visa Europe consultants will guide him or her through the process in order to achieve listed status. However, note that the registration process is not free of charge. The fees that the agents are charged for program maintenance will depend on their annual transaction volume which will determine the amount it will be invoiced for registration and annual renewals.
What are the benefits of being listed as a Visa Merchant Agent and the impact of this program for Payvision?By getting listed on the Visa Europe merchant agents list, an agent shows it is fully PCI DSS compliant, enabling merchants and retailers to make more informed decisions when selecting and deciding to work with these agents. So, it is a win-win deal for all involved stakeholders and there are key benefits for the industry as a whole: acquirers and Card Schemes limit the reputational, financial and regulatory risk; the agents gain competitiveness as a result of being registered; and, as a consequence, the payment system gets more secure and reliable, which most likely will lead to growth in the payments sector.
According to a Visa Europe press release, within a month of going live, its website had already received 100 registrations, accounting for 15% of merchant-agent connections in Visa Europes territory. Currently, over 145 companies have been awarded the Visa Merchant Agent accreditation. In your opinion, do 145 represent a high enough enrolment volume?Although for the moment, there are over 145 agents listed, it is important to note that the ones registered account for an important share of the transactions made by Visa Europe merchants. It is expected, however, that in the course of 2013, many more agents will be listed as validated as we understand that there are a number currently being reviewed and pending public listing.
While taking a look at the Merchant Agent list, one can easily notice a regional difference: e.g. 82 companies based in the UK are already included, as compared to only 5 in Germany or 1 in Norway. How do you explain such a difference in terms of registration per country? The main reason for this difference is certainly not that there are fewer companies in Germany or Norway that may be in scope, but more likely less awareness of the program in those countries. The re-launch of the website in other languages (such as French, Spanish or German) will certainly greatly contribute to entice more merchant agents from those countries to start and complete the registration process.
What steps do Merchant Agents take to secure their systems and limit their exposure to account data compromises?Most importantly, all listed agents are PCI DSS compliant, which means that they have gone through all the PCI validation process. This risk-based approach ensures that the risk that those agents might pose to the payment environment is minimized. As a result of running through all the PCI DSS validation milestones, the agents:• Build and maintain a secure network• Protect cardholder data• Maintain a vulnerability management program• Implement strong access control measures• Regularly monitor and test networks, and• Maintain an Information Security Policy All the above steps help agents to protect their systems and help them to prevent data compromises from taking place.
VIDEOS:Michael Burtscher, our VP Business Development, gives more insights about Visa Europe Merchant Agent list: http://www.youtube.com/watch?v=FLZtiVIN0p0Ignacio González-Páramo, our VP Compliance, talks about the webinar and the registration process of Payvision: http://www.youtube.com/watch?feature=player_embedded&v=YN8tqX9EkOU
Michael Burtscher is responsible for the further development of Payvision’s global card payment network. In his previous role as Head of Third Party Risk at Visa Europe, Michael Burtscher successfully led a number of initiatives which increased Security for consumers and payment solution providers in the e-commerce market. He also worked to ensure adherence to the Visa Operating Regulations including PCI DSS.
Ignacio González-Páramo is the company`s VP Compliance, in charge of Payvision’s compliance with all Card Schemes’ rules as well as with domestic and international regulations and legislation. He also handles Public Affairs on behalf of Payvision as a Payment Institution. Given his background and expertise, Ignacio will surely provide the readers with a helpful insight on how to face regulatory challenges and compliance-related issues.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now