Merchants

Merchants

Compliance validation details for merchants

Merchant banks are responsible for ensuring that all of their merchants comply with the PCI Data Security Standard (DSS) requirements; however, merchant compliance validation has been prioritized based on the volume of transactions, the potential risk, and exposure introduced into the payment system.

U.S. Technology Innovation Program


Effective 1 October 2012, Visa expanded the Technology Innovation Program (TIP) to the U.S. TIP rewards merchants that have invested in EMV technology by eliminating the requirement to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS) for any year in which at least 75 percent of the eligible merchant’s Visa transactions originate from dual-interface EMV chip-enabled terminals.

To qualify, terminals must be enabled to support both EMV contact and contactless chip acceptance, including mobile contactless payments based on NFC technology. Contact chip-only or contactless-only terminals will not qualify for the U.S. program.

Visa developed TIP to recognize and acknowledge merchants that have taken action to prevent counterfeit fraud by investing in EMV technology. The program is part of Visa’s overall effort to introduce more dynamic authentication data into the payment system and prepare for the use of emerging technologies that aid in the protection of the payment system by encouraging merchant investment in contact and contactless chip payment terminals.

Minimum Merchant Qualification Standards

To qualify for the program and receive its benefits, U.S. merchants must meet all of the following criteria:

  1. The merchant must have validated PCI DSS compliance within the previous 12 months or have submitted to Visa (via their acquirer) a defined remediation plan for achieving compliance, based on a gap analysis.
  2. The merchant must have confirmed that sensitive authentication data (i.e., full contents of magnetic stripe, CVV2 and/or PIN data) is not stored, as defined in the PCI DSS.
  3. At least 75 percent of the merchant’s total transaction count must originate from dual-interface (contact / contactless) enabled chip-reading device terminals.
  4. The merchant must not be involved in a breach of cardholder data. A breached merchant may qualify for TIP if they have subsequently validated PCI DSS compliance.

Merchants that do not meet the program’s terminalization requirements, including merchants whose transaction volume is primarily from e-commerce and Mail Order / Telephone Order (MO/TO) acceptance channels, are still required to validate PCI DSS compliance annually in accordance with Visa compliance programs.

Visa will work directly with acquirers to confirm eligible merchants and verify acquirer reporting responsibilities. Note: Participation in the program is contingent upon the acquirer’s submission of—and Visa’s approval of—a program application for each qualifying merchant. Visa will work closely with acquirers on the continued monitoring of merchants’ PCI DSS compliance and dual-interface terminalization efforts.

Please click here for the U.S. TIP application.

PCI Compliance Acceleration Program

Visa developed the PCI Compliance Acceleration Program to provide financial incentives and establish enforcement provisions for acquirers to ensure their merchants validate PCI DSS compliance. In accordance with the PCI Compliance Acceleration Program, merchant banks must additionally ensure that all Level 1 and 2 merchants validate that prohibited data is not retained by submitting a completed Prohibited Data Retention Attestation form

OR

the PCI DSS Attestation of Compliance ("AOC") - Merchants v2.0.

The Merchant PCI DSS Compliance Update highlights compliance progress for level 1, 2 and 3 merchants.

Merchant levels and compliance validation requirements defined

All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As ("DBA"). In cases where a merchant corporation has more than one DBA, Visa merchant banks must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, merchant banks will continue to consider the DBA's individual transaction volume to determine the validation level.

Any entity, including merchants, that stores, processes or transmits Visa cardholder data must be PCI DSS compliant. In addition to adhering to the PCI DSS, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants. The PCI DSS requires that all merchants with externally-facing IP addresses perform quarterly, external network scans to achieve compliance. Merchant banks may require submission of the quarterly scan reports and/or questionnaires by level 4 merchants. Any merchant that has suffered a breach that resulted in an account data compromise may be escalated to a higher validation level.

Level / Tier 1 Merchant Criteria Validation Requirements
1 Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region 2
  • Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) or Internal Auditor if signed by officer of the company
    • The internal auditor is highly recommended to obtain the PCI SSC Internal Security Assessor (“ISA”) certification
  • Quarterly network scan by Approved Scan Vendor (“ASV”)
  • Attestation of Compliance Form
2 Merchants processing 1 million to 6 million Visa transactions annually (all channels)
  • Annual Self-Assessment Questionnaire (“SAQ”)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
3 Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
4 Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually
  • Annual SAQ recommended
  • Quarterly network scan by ASV if applicable
  • Compliance validation requirements set by merchant bank

1 - Compromised entities may be escalated at regional discretion

2 – Merchant meeting Level 1 criteria in any Visa country/region that operates in more than one country/region is considered a global Level 1 merchant. Exception may apply to global merchants if no common infrastructure and if Visa data is not aggregated across borders; in such cases merchant validates according to regional levels.

Validation procedures and documentation

Merchant banks must ensure that their merchants validate at the appropriate level and obtain the required compliance validation documentation from their merchants. Merchant banks must submit detailed bi-annual status reports for Level 1, Level 2, and Level 3 merchants to Visa and all compliance validation documentation must be made available to Visa upon request. Level 4 merchant PCI DSS status is reported on a bi-annual basis within the Acquirer Scorecard report. Merchant banks and merchants should also verify the compliance reporting requirements of other payment card brands which may require proof of compliance validation.

Compliance validation takes place at the merchant's expense, as follows:

  • Level 1 Merchants


    The Annual On-Site PCI Data Security Assessment must be completed for Level 1 merchants according to the Navigating the PCI DSS v2.0 document. This document is also to be used as the template for the Report on Compliance.

    Level 1 merchants should engage a Qualified Security Assessor to complete the Report on Compliance and provide the report to their merchant bank. Alternatively, merchant banks may elect to accept the Report on Compliance from a Level 1 merchant's Internal Security Assessor, provided that a letter signed by a merchant officer accompanies the report. Level 1 merchants must also submit the PCI DSS AOC – Merchants v2.0 form completed by their assessor to their merchant bank.

    Merchant banks must submit the PCI DSS AOC – Merchants v2.0form and a letter accepting the merchant's full compliance validation to Visa upon receipt and acceptance of the merchant's validation documentation.

    Download the PCI Data Security Standard v2.0.

    Download the PCI DSS AOC - Merchants v2.0.

  • Level 2/Level 3/Level 4 Merchants


    The PCI DSS Self-Assessment Questionnaire (“SAQ”) must be completed by Level 2 and 3 merchants. Level 4 merchants may be required to complete the applicable PCI DSS SAQ as specified by their merchant bank.

    Download the PCI DSS Self-Assessment Questionnaire.

All Applicable Merchants


The Quarterly Network Security Scan is an automated tool that checks systems for vulnerabilities and is applicable to merchants with externally-facing IP addresses that are connected to their payment card processing environment. It conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the merchant. Merchant banks must ensure that the quarterly network security scans required of their applicable merchants are performed by an Approved Scanning Vendor.

Download the PCI Security Scanning Procedures.

For more information

To learn more about the Visa's compliance programs, contact Visa via email at AskVisaUSA@Visa.com.