The Visa Core Rules and Visa Product and Service Rules governs the activities of client financial institutions and, by extension, service providers and merchants as participants in the Visa payment system.
Issuers and acquirers are responsible for ensuring the PCI DSS compliance of its service providers and merchants, including service providers the merchant is using. A service provider and merchant must maintain full compliance at all times. (VCR section ID #0002228 and #0008031)
If a service provider or merchant does not comply with the PCI DSS or fails to rectify a security issue, Visa may assess a non-compliance assessment to the issuer or acquirer. The issuer or acquirer is responsible for paying all assessments and must not represent that Visa has imposed any assessment on the service provider or merchant. (VCR section ID #0001054)
Assessments may be waived if there is no evidence of PCI DSS non-compliance prior to, and at the time of a data breach, as demonstrated during a forensic investigation.
Acquirers of compromised Level 3 and Level 4 merchants may be granted safe harbor from non-compliance assessments if the Level 3 or Level 4 merchant has implemented an approved security measure prior to the date of intrusion of the compromise event.
Acquirers can contact Visa Risk at firstname.lastname@example.org for more information regarding the Secure Acceptance Incentive Program.