Merchants

Merchants

PCI DSS Compliance

PCI Data Security Standard (DSS) compliance is required of all entities that store, process, or transmit Visa cardholder data, including financial institutions, merchants and service providers. The PCI DSS applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce. Visa Inc.'s compliance programs manage compliance with the PCI DSS with the required program validation.

The PCI DSS offers a single approach to safeguarding sensitive data for all card brands. The PCI DSS consists of twelve basic requirements categorized as follows:

PCI Data Security Standard
Build and Maintain a Secure Network
  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
  • Protect all systems against malware and regularly update anti-virus software or programs
  • Develop and maintain secure systems and applications
Implement Strong Access Control Measures
  • Restrict access to cardholder data by business need-to-know
  • Identify and authenticate access to system components
  • Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
Maintain an Information Security Policy
  • Maintain a policy that addresses information security for all personnel

By complying with the PCI DSS, Visa members, merchants, and service providers not only meet their obligations to the payment system, but also build a culture of security that benefits everyone.

PCI Compliance Acceleration Program

Visa developed the PCI Compliance Acceleration Program to provide financial incentives and establish enforcement provisions for acquirers to ensure their merchants validate PCI DSS compliance. In accordance with the PCI Compliance Acceleration Program, merchant banks must additionally ensure that all Level 1 and 2 merchants validate that prohibited data is not retained by submitting a completed Prohibited Data Retention Attestation form

OR

the PCI DSS Attestation of Compliance ("AOC") - Merchants v3.0.

the Merchant PCI DSS Compliance Update highlights compliance progress for level 1, 2 and 3 merchants.

Compliance validation

Separate and distinct from the mandate to comply with the PCI DSS is the validation of compliance whereby entities verify and demonstrate their compliance status. It is a fundamental and critical function that identifies and corrects vulnerabilities, and protects customers by ensuring that appropriate levels of cardholder information security are maintained. Visa has prioritized and defined levels of compliance validation based on the volume of transactions, the potential risk, and exposure introduced into the payment system by merchants and service providers.

Compliance validation details for merchants

Merchant banks are responsible for ensuring that all of their merchants comply with the PCI Data Security Standard (DSS) requirements; however, merchant compliance validation has been prioritized based on the volume of transactions, the potential risk, and exposure introduced into the payment system.

Merchant levels and compliance validation requirements defined

All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As ("DBA"). In cases where a merchant corporation has more than one DBA, Visa merchant banks must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, merchant banks will continue to consider the DBA's individual transaction volume to determine the validation level.

Any entity, including merchants, that stores, processes or transmits Visa cardholder data must be PCI DSS compliant. In addition to adhering to the PCI DSS, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants. The PCI DSS requires that all merchants with externally-facing IP addresses perform quarterly, external network scans to achieve compliance. Merchant banks may require submission of the quarterly scan reports and/or questionnaires by level 4 merchants. Any merchant that has suffered a breach that resulted in an account data compromise may be escalated to a higher validation level.

Level / Tier 1 Merchant Criteria Validation Requirements
1 Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region 2
  • Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) or Internal Auditor if signed by officer of the company
    • The internal auditor is highly recommended to obtain the PCI SSC Internal Security Assessor (“ISA”) certification
  • Quarterly network scan by Approved Scan Vendor (“ASV”)
  • Attestation of Compliance Form
2 Merchants processing 1 million to 6 million Visa transactions annually (all channels)
  • Annual Self-Assessment Questionnaire (“SAQ”)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
3 Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
4 Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually
  • Annual SAQ recommended
  • Quarterly network scan by ASV if applicable
  • Compliance validation requirements set by merchant bank

1 - Compromised entities may be escalated at regional discretion

2 – Merchant meeting Level 1 criteria in any Visa country/region that operates in more than one country/region is considered a global Level 1 merchant. Exception may apply to global merchants if no common infrastructure and if Visa data is not aggregated across borders; in such cases merchant validates according to regional levels.

Validation procedures and documentation

Merchant banks must ensure that their merchants validate at the appropriate level and obtain the required compliance validation documentation from their merchants. Merchant banks must submit detailed bi-annual status reports for Level 1, Level 2, and Level 3 merchants to Visa and all compliance validation documentation must be made available to Visa upon request. Level 4 merchant PCI DSS status is reported on a bi-annual basis within the Acquirer Scorecard report. Merchant banks and merchants should also verify the compliance reporting requirements of other payment card brands which may require proof of compliance validation.

Compliance validation takes place at the merchant's expense, as follows:

  • Level 1 Merchants


    The Annual On-Site PCI Data Security Assessment must be completed for Level 1 merchants according to the Navigating the PCI DSS v3.0 document. This document is also to be used as the template for the ROC.

    Level 1 merchants should engage a QSA to complete the ROC and provide the report to their merchant bank. Alternatively, merchant banks may elect to accept the ROC from a Level 1 merchant's ISA, provided that a letter signed by a merchant officer accompanies the report. Level 1 merchants must also submit the PCI DSS AOC – Merchants v3.0 form completed by their assessor to their merchant bank.

    Merchant banks must submit the PCI DSS AOC – Merchants v3.0 form and a letter accepting the merchant's full compliance validation to Visa upon receipt and acceptance of the merchant's validation documentation.

    Download the PCI Data Security Standard v3.0.

    Download the PCI DSS AOC - Merchants v3.0.

  • Level 2/Level 3/Level 4 Merchants


    The PCI DSS SAQ must be completed by Level 2 and 3 merchants. Level 4 merchants may be required to complete the applicable PCI DSS SAQ as specified by their merchant bank.

    Download the PCI DSS Self-Assessment Questionnaire.

All Applicable Merchants


The Quarterly Network Security Scan is an automated tool that checks systems for vulnerabilities and is applicable to merchants with externally-facing IP addresses that are connected to their payment card processing environment. It conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the merchant. Merchant banks must ensure that the quarterly network security scans required of their applicable merchants are performed by an ASV.

U.S. Technology Innovation Program

Effective 1 October 2012, Visa expanded the Technology Innovation Program (TIP) to the U.S. TIP rewards merchants that have invested in EMV technology by eliminating the requirement to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS) for any year in which at least 75 percent of the eligible merchant's Visa transactions originate from dual-interface EMV chip-enabled terminals.

To qualify, terminals must be enabled to support both EMV contact and contactless chip acceptance, including mobile contactless payments based on NFC technology. Contact chip-only or contactless-only terminals will not qualify for the U.S. program.

Visa developed TIP to recognize and acknowledge merchants that have taken action to prevent counterfeit fraud by investing in EMV technology. The program is part of Visa's overall effort to introduce more dynamic authentication data into the payment system and prepare for the use of emerging technologies that aid in the protection of the payment system by encouraging merchant investment in contact and contactless chip payment terminals.

Effective 1 April 2015, Visa will expand TIP qualification to merchants that have invested in a validated point-to-point encryption solution. Qualifying solutions are those that are included on PCI SSC’s list of Validated Point-to-Point Encryption Solutions or independently validated by a PCI SSC Qualified Security Assessor point-to-point encryption company. Point-to-point encryption helps to secure a merchant’s acceptance environment by removing or devaluing cardholder data. Visa recognizes the security value this technology brings to the POS acceptance environment.

Minimum Merchant Qualification Standards

To qualify for the program and receive its benefits, U.S. merchants must meet all of the following criteria:

  1. Confirm that sensitive authentication data (i.e., the full contents of magnetic stripe, CVV2 and PIN data) are not stored subsequent to transaction authorization, as defined in the PCI DSS.
  2. Ensure that at least 75 percent of all transactions originate through one of the following secure acceptance channels:

    • Enabled and operating chip-reading terminals (U.S. merchants must meet the volume criteria with dual-interface contact / contactless terminals)¹
    • Validated point-to-point encryption service² (NEW)
  3. Not be involved in the breach of cardholder data. A breached merchant may qualify for TIP if it has subsequently validated PCI DSS compliance.

Merchants that do not meet the program's terminalization requirements, including merchants whose transaction volume is primarily from e-commerce and Mail Order / Telephone Order (MO/TO) acceptance channels, are still required to validate PCI DSS compliance annually in accordance with Visa compliance programs.

Visa will work directly with acquirers to confirm eligible merchants and verify acquirer reporting responsibilities. Note: Participation in the program is contingent upon the acquirer's submission of—and Visa's approval of—a program application for each qualifying merchant. Visa will work closely with acquirers on the continued monitoring of merchants' PCI DSS compliance and dual-interface terminalization efforts.

Please click here for the U.S. TIP application.

¹ Chip-enabled terminals must have current, valid EMV approval and pass Acquirer Device Validation Toolkit (ADVT) / Contactless Evaluation Toolkit (CDET) / Visa payWave Test Tool (VpTT) testing requirements, as applicable.
² The point-to-point encryption solution must be included on the PCI SSC list of validated solutions or independently validated by a PCI SSC Qualified Security Assessor point-to-point encryption company.

Regulation and assessments

The Visa Core Rules and Visa Product and Service Rules governs the activities of client financial institutions and, by extension, merchants and service providers as participants in the Visa payment system.

A merchant's acquiring bank is responsible for ensuring the PCI Data Security Standard (DSS) compliance of the merchant and any service providers the merchant is using. A merchant must maintain full compliance at all times. (VCR section ID #0002228 and #0008031)

If a merchant does not comply with the PCI DSS or fails to rectify a security issue, Visa may assess a non-compliance assessment to the merchant's acquirer. The acquirer is responsible for paying all assessments and must not represent that Visa has imposed any assessment on the merchant. (VCR section ID #0001054)

Assessments may be waived if there is no evidence of PCI DSS non-compliance prior to, and at the time of a data breach, as demonstrated during a forensic investigation.

Acquirers of compromised Level 3 and Level 4 merchants may be granted safe harbor from non-compliance assessments if the Level 3 or Level 4 merchant has implemented an approved security measure prior to the date of intrusion of the compromise event. Please contact your acquirer for more details on the Secure Acceptance Incentive Program.

For more information

To learn more about the Visa's compliance programs, contact Visa via email at AskVisaUSA@Visa.com.