I own a web hosting company and maintain my own servers in a colocation facility. I do not resell the hosting services of another company. My new startup company is a SaaS provider that I'm hosting on my web hosting company's servers.
I'm working on getting PCI-DSS compliance right now for both businesses. I've been told by my merchant account provider that not only do I need to get PCI-DSS compliance for my web hosting company, but that I also am REQUIRED to register with Visa's Third Party Agent (TPA) program and pay the $5000 fee to register plus $2500 annually. And that doesn't include any sort of costs for compliance testing.
My webhosting company is small and would have a hard time with these fees. My other company is a startup and is barely making anything yet. I had thought I could submit a Self Assessment Questionnaire (SAQ) and avoid big fees, but if money like this is required, how do any small web hosting companies exist?
I understand that get PCI-DSS compliance is necessary. But is it true that registering for TPA is a REQUIREMENT? Or is it something I can do if I want to be listed on their list of compliant service providers? If I had customers insisting that I be listed at a TPA it would be one thing, but that isn't the case at this time. Can the merchant account provider require this? Is it up to them to decide if this is required, or is it mandated by some law?
Here's a snippet from the letter my merchant account provider sent to me:
When looking at your account we noticed that you are providing a service(s) that is potentially applicable for registration with the Payment Brands, including Visa and MasterCard. Any merchant that transmits, processes, or stores cardholder data on server(s) that you own/manage/operate on behalf of (your clients)who are other merchant account holders, must meet the PCI Data Security Standard and follow additional steps to register as a service provider. Applicable services commonly include webhosting, software as a service, or collecting payment on behalf of a client.
Any company providing these services must register with Visa’s Third Party Agent (TPA) program and MasterCard’s Data Storage Entity (DSE) program.
A Visa TPA is an entity that provides payment-related services, directly or indirectly, to a Visa client and/or stores, processes or transmits Visa account numbers: http://usa.visa.com/merchants/risk_management/cisp_service_providers.html. A great FAQ is available on the Visa website. Please note that Visa does require an initial registration fee of $5000, with an annual renewal fee which is currently $2500.
A MasterCard DSE is an entity that engages, or proposes to engage, in the processing, transmission, or storage of account data, transaction data, or both on behalf of any merchant, Independent Sales Organization (ISO), or Third Party Processor (TPP) of the member: http://www.mastercard.com/us/sdp/serviceproviders/index.html. MasterCard does not currently collect registration fees unless the DSE provides services on behalf of a processor.