Visa Service Provider Re-Validation and COVID-19

Many companies are listed as PCI DSS compliance service providers on the Visa Service Providers Global Registry. This registry is an annual re-validation for those listed. When a company has not re-validated by their expiration date, their status turns to “yellow,” Then, 30 days/one month later, the status turns to “red.”

Due to COVID-19 and the impact it has had on QSA companies being able to engage with and validate service providers’ PCI compliance, a waiver has been put in place by Visa. The waiver allows all service providers with a re-validation date that expires prior to July 21, 2020, to remain “green” (or in a compliance status). The waiver will be lifted on August 1, 2020, and all service providers will turn “yellow” if they have not re-validated by this date. If re-validation for those providers that had an expiration date prior to July 31, 2020, has not been re-validated by September 1, 2020, their status will turn to “red,” and Visa will continue updating the listing on a monthly basis as it did previous to COVID-19.

New Considerations

There are some considerations that Visa will take into account in order for a service provider to move their re-validation date if they feel it is not attainable in a timely manner:

1. Significant infrastructure changes (Data center implementations/ migrations)
2. Scope changes (new applications, services, locations, etc. are in-scope that were not in the prior service provider validation)
3. Ownership changes (mergers, acquisitions, and/or the sale of a company)

To clarify the points above, for Visa to consider moving a company’s re-validation date, there must be some material reasons as to why the QSA company is not able to engage with, test, and validate the scope of the provider that is under review for PCI compliance. As an example, a change in management at the CEO level does not prevent two organizations from engaging with one another. A change in ownership due to acquisition, however, changes the types of service offerings, business processes, and personnel that will be interviewed, as well as providing evidence to the QSA company for compliance and re-validation.

What to do?

If your company feels it will not be able to meet its Visa re-validation date due to COVID-19 or other extenuating circumstances, provide the below documentation to pcirocs@visa.com :

1. Letter of Engagement between your company and the QSA company
2. PCI DSS Prioritized Approach Tool Summary
3. Additional explanation as to the constraint/limitation of completing the assessment by the re-validation date
4. The anticipated date of completion that the re-validation date should be reset to

Please reach out to us at connect@compliancepoint.com if you have any questions about this topic or how CompliancePoint can assist your organization with achieving PCI DSS Certification or managing your PCI compliance.