Payment Card Industry Data Security Standard (PCI DSS) compliance is required of all entities that store, process, or transmit Visa cardholder data, including financial institutions, merchants and service providers. Visa’s programs manage PCI DSS compliance by requiring that participants demonstrate compliance on a regular basis.
PCI DSS compliance
Keep up to date with security standards that benefit everyone.
-
Visa’s Cardholder Information Security Program (CISP) is a compliance program intended to protect Visa cardholder data by ensuring clients, merchants, and service providers maintain the highest information security standard.
The PCI Security Standards Council (SSC) owns, maintains and manages the PCI DSS and all its supporting documents; however, Visa manages all data security compliance enforcement and validation initiatives.
-
Issuers and acquirers are responsible for ensuring that all of their service providers, merchants, and merchants’ service providers comply with the PCI DSS requirements.
Merchant compliance validation has been prioritized based on the volume of transactions, the potential risk, and exposure introduced into the payment system.
Learn about the merchant levels
Issuer and acquirers must ensure all their Level 1 and Level 2 service providers demonstrate PCI DSS compliance at the time of Third Party Agents (TPA) registration and every 12 months thereafter.
-
Acquirers must ensure that their merchants validate at the appropriate level and obtain the required compliance validation documentation from their merchants. Merchant banks and merchants should also verify the compliance reporting requirements of other payment card brands which may require proof of compliance validation.
Level 1 Service Providers not directly connected to Visa are required to complete the annual on-site PCI data security assessment and submit an executed attestation of compliance (AOC), signed by both the service provider and the qualified security assessor (QSA) to Visa. Level 2 service providers must submit a signed self-assessment questionnaire (SAQ-D) form or an AOC including QSA signature. PCI DSS compliance validation is required before a service provider can be listed on the Visa Global Registry of Service Providers (the Registry).
-
The Visa Core Rules and Visa Product and Service Rules governs the activities of client financial institutions and, by extension, service providers and merchants as participants in the Visa payment system.
Issuers and acquirers are responsible for ensuring the PCI DSS compliance of its service providers and merchants, including service providers the merchant is using. A service provider and merchant must maintain full compliance at all times. (VCR section ID #0002228 and #0008031)
If a service provider or merchant does not comply with the PCI DSS or fails to rectify a security issue, Visa may assess a non-compliance assessment to the issuer or acquirer. The issuer or acquirer is responsible for paying all assessments and must not represent that Visa has imposed any assessment on the service provider or merchant. (VCR section ID #0001054)
Acquirers can contact Visa Risk at cisp@visa.com for more information.
PIN Security Program
Visa is simplifying PIN security compliance validation across all regions.
Payment Application Data Security Standard (PA-DSS)
Payment application vendors with currently validated PA-DSS applications are encouraged to transition to the SSF. Submission of new payment applications for PA-DSS validation will be accepted until 30 June 2021. Existing PA-DSS validated applications will remain on the List of Validated Payment Applications and vendors can continue to submit changes until the PA-DSS program closes on 28 October 2022. When the PA-DSS program officially closes, all PA-DSS validated application listings will be moved to the “Acceptable Only for Pre-existing Deployments” list.
-
Storage of cardholder data elements is in direct violation of the PCI DSS and Visa rules. Criminals are targeting merchants and agents that use these vulnerable payment applications and are exploiting these security vulnerabilities to find and steal cardholder data.
If you discover a vulnerable payment application and have specific information as to the payment application vendor, application version, where sensitive cardholder data is stored and vendor contact information, please notify Visa via email at cisp@visa.com. All information provided will be verified through the software vendor, Visa will not reveal to any software vendor the source of information or disclose information that would reveal the source's identity.
-
Visa developed the Payment Application Best Practices (PABP) in 2005 to provide software vendors guidance in developing payment applications that help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data (i.e. full magnetic stripe data, CVV2 or PIN data) and support overall compliance with the PCI DSS. In 2008, the PCI Security Standards Council adopted Visa's PABP and released the standard as the PA–DSS, which has since replaced PABP for the purpose of Visa's compliance program.
Software Security Framework (SSF)
The PCI Software Security Framework (SSF) is a collection of standards and programs for the secure design and development of payment software. The SSF program is similar to and will replace PA-DSS at the retirement of that standard at the end of October 2022.
Fundamental to the framework are two standards that set the foundation:
- Secure Software Standard
- Secure Software Lifecycle Standard
Learn more at PCI Security Standards Council
Secure Software Standard
The Secure Software Standard provides security requirements for building secure payment software to protect the integrity and the confidentiality of sensitive data that is stored, processed, or transmitted in association with payment transactions. It is intended for vendors that develop payment software that supports or facilitates payment transactions.
As new modules are added to the Secure Software Standard, the program scope will expand to support other types of software, use cases, and technologies.
Secure Software Lifecycle (Secure SLC) Standard
The Secure SLC Standard provides security requirements for payment software vendors to integrate security throughout the entire software lifecycle, which results in software that is secure by design and able to withstand attacks. It is intended for vendors that are developing payment software that supports or facilitates payment transactions.