If you’re a service provider, you’ll want to read this information from Mastercard about registering with them as a PCI compliant service provider. But before you read it, it’s worth having a brief tour around some relevant terminology.
If you’re a Merchant, you may find this interesting anyway, especially if the PCI compliance and registration of your service providers is something you need to know more about.
Note that this is information from Mastercard, which is a single global brand, as distinct from Visa, which has numerous regional organisations. Visa has it’s own registration process, which I’ve talked about previously.
Terminology between card brands differs too. For example, when we say “Service Provider”, Visa Europe says “Agent” and Mastercard says “Member Service Provider”. Furthermore, Mastercard MSPs fall in to two categories: Third Party Processors (TPPs) and Data Storage Entities (DSEs).
Just to round things off, you should also know that both Mastercard and Visa have different names for their card data security programmes. Visa Inc. has the “Cardholder Information Security Program” (CIS), Visa Europe has the “Account Information Security Program” (AIS). Mastercard has the “Site Data Protection” program (SDP).
Fortunately, all of these programmes are aligned with the PCI DSS.
One last point before you read the message below; a “member bank” refers to a bank that is a member of a card scheme such as Visa or Mastercard. The bank will often be a card acquirer (“acquiring bank”) or card issuer (“issuing bank”), or both. Other organisations can be scheme members too, but that’s a subject for another day.
I think that’s enough terminology for now.
To summarise, if you’re a service provider, you’ve been assessed by a QSA, and you now want to be listed on the Mastercard list of compliant service providers, here’s what you need to know. This is quoted directly from our conversations with the Mastercard compliance team.
“MasterCard requires that the newly identified entity first register as an MSP (Member Service Provider) with the MSP registration team here at MasterCard (firstname.lastname@example.org). Note that only one or more of our member banks can enter them into our system. If they have a direct relationship with one or more of our member banks, they should contact each one for separate registration. If they do not have a direct relationship with one or more of our members, they would need to get sponsorship from their customer’s bank to get set up (this may be either a merchant or another processor, such as a Third Party Processor – many of which have direct relationships with our banks).
Note that the Attestation of Compliance (or Certificate of Validation) is submitted only once annually to satisfy the PCI Compliance side of the process. The team which runs MSP registration is separate from the Site Data Protection Program / PCI Compliance group. They can be contacted at the address noted above. Service Providers fall into one of two categories with MasterCard (TPPs and DSEs). More information can be found here:
Please note: As of October 1, 2010, MasterCard will only list those Service Providers that are also registered and approved as a MSP (Member Service Provider) with the MasterCard Registration Program (MRP) and who have also successfully completed an annual onsite assessment and submitted the AOC.”
Note that Ambersail cannot register you with a member bank – you’re most likely to achieve this by speaking with one of your service customers, and asking them to contact their acquiring bank concerning service provider/agent registration purposes.