Merchants
Compliance validation details for merchants
Acquirers are responsible for ensuring that all of their merchants comply with the PCI Data Security Standard (DSS) requirements; however, merchant compliance validation has been prioritized based on the volume of transactions, the potential risk, and exposure introduced into the payment system.
| PCI Compliance Acceleration Program Visa developed the PCI Compliance Acceleration Program to provide financial incentives and establish enforcement provisions for acquirers to ensure their merchants validate PCI DSS compliance. In accordance with the PCI Compliance Acceleration Program, acquirers must additionally ensure that all Level 1 and 2 merchants validate that prohibited data is not retained by submitting a completed Prohibited Data Retention Attestation form OR either the Attestation of Compliance for Onsite Assessments - Merchants or Confirmation of Report Accuracy form to their acquirer. The Merchant PCI DSS Compliance Update highlights compliance progress for level 1, 2 and 3 merchants. |
On this page
Merchant levels and compliance validation requirements defined
All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As ("DBA"). In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s individual transaction volume to determine the validation level.
In addition to adhering to the PCI DSS, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants. The PCI DSS requires that all merchants with externally-facing IP addresses perform quarterly, external network scans to achieve compliance. Acquirers may require submission of the quarterly scan reports and/or questionnaires by level 4 merchants. Any merchant that has suffered a breach that resulted in an account data compromise may be escalated to a higher validation level.
| Level / Tier 1 | Merchant Criteria | Validation Requirements |
|---|---|---|
| 1 | Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region 2 |
|
| 2 | Merchants processing 1 million to 6 million Visa transactions annually (all channels) |
|
| 3 | Merchants processing 20,000 to 1 million Visa e-commerce transactions annually |
|
| 4 | Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually |
|
2 – Merchant meeting Level 1 criteria in any Visa country/region that operates in more than one country/region is considered a global Level 1 merchant. Exception may apply to global merchants if no common infrastructure and if Visa data is not aggregated across borders; in such cases merchant validates according to regional levels.
Validation procedures and documentation
Acquirers must ensure that their merchants validate at the appropriate level and obtain the required compliance validation documentation from their merchants. Acquirers must submit monthly status reports to Visa and all compliance validation documentation must be made available to Visa upon request. Acquirers and merchants should also verify the compliance reporting requirements of other payment card brands which may require proof of compliance validation.
Compliance validation takes place at the merchant's expense, as follows:
-
Level 1 Merchants
The Annual On-Site PCI Data Security Assessment must be completed for Level 1 merchants according to the PCI Requirements and Security Assessment Procedures v1.2 document. This document is also to be used as the template for the Report on Compliance.
Level 1 merchants should engage a Qualified Security Assessor to complete the Report on Compliance and provide the report to their acquirer. Alternatively, acquirers may elect to accept the Report on Compliance from a Level 1 merchant, provided that a letter signed by a merchant officer accompanies the report. Level 1 merchants must also submit the Attestation of Compliance for Onsite Assessments – Merchants form completed by their assessor to their acquirers. The Attestation of Compliance for Onsite Assessments – Merchants can be found in the PCI Requirements and Security Assessment Procedures v1.2 document.
Acquirers must submit the Attestation of Compliance for Onsite Assessments - Merchants form and a letter accepting the merchant’s full compliance validation to Visa upon receipt and acceptance of the merchant’s validation documentation.
Download the PCI Data Security Standard v1.2.
Download the Attestation of Compliance for Onsite Assessments - Merchants. -
Level 2/Level 3 Merchants
The Annual PCI Self-Assessment Questionnaire must be completed by Level 2 and 3 merchants. Level 4 merchants may be required to complete the PCI Self-Assessment Questionnaire as specified by their acquirer.
Download the PCI Self-Assessment Questionnaire.
Level 1/Level 2/Level 3 Merchants
The Quarterly Network Security Scan is an automated tool that checks systems for vulnerabilities. It conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the merchant. Acquirers are responsible for ensuring that the quarterly network security scans required of their levels 1, 2, and 3 merchants are performed by an Approved Scanning Vendor. The Quarterly Network Security Scan is applicable to merchants with externally-facing IP addresses.
Download the PCI Security Scanning Procedures.
For more information
To learn more about the Visa's compliance programs, contact Visa via email at AskVisaUSA@Visa.com.
