- 1. Install and maintain a firewall configuration to protect cardholder data.
- 2. Do not use vendor-supplied defaults for system passwords and other security parameters.
-
Security Program Updates
As part of a broader effort to mitigate small merchant breaches, Visa Payment System Risk established new data security program requirements for U.S. and Canadian acquirers with an effective date of January 31, 2017.
PCI Compliance helps keep you and your customers data safe
From fraud prevention tips to innovative security technologies, we provide powerful resources to help keep your business safe and secure.
PCI DSS compliance
Everyone storing, processing or transmitting cardholder information is required to follow the Payment Card Industry Data Security Standard (PCI DSS). It consists of 12 basic requirements grouped in 6 categories for establishing and maintaining a reliable and secure payment processing environment. Partner with your acquirer to provide secure transactions for all customers using the PCI DSS. First, review the guidelines, and then check to see that you meet the related requirements.
-
-
- 3. Protect stored cardholder data.
- 4. Encrypt transmission of cardholder data across open, public networks.
-
- 5. Protect all systems against malware and regularly update anti-virus software or programs.
- 6. Develop and maintain secure systems and applications.
-
- 7. Restrict access to cardholder data by business need-to-know.
- 8. Identify and authenticate access to system components.
- 9. Restrict physical access to cardholder data.
-
- 10. Track and monitor all access to network resources and cardholder data.
- 11. Regularly test security systems and processes.
-
- 12. Maintain a policy that addresses information security for all personnel.
Compliance validation
Take the time to see that you’ve met all requirements of the PCI DSS. It’s the best way to confirm cardholder data is being safely handled and to expose any weaknesses that need to be addressed. Your total Visa transaction volume over a 12-month period determines your merchant level** and the necessary requirements for validation.
** Merchant level identification is based on the corporate entity’s total volume of Visa transactions (inclusive of credit, debit and prepaid) meeting the transaction thresholds in one country or with one acquirer per year. Volume from independently-owned and operated merchant locations (e.g., franchisee, licensee) may be excluded if it is not processed by the corporate entity.
-
Every year:
- File a Report on Compliance ("ROC") by Qualified Security Assessor ("QSA")” or internal resource if signed by officer of the company.
- Submit an Attestation of Compliance ("AOC") Form.
-
Every year:
- Complete a Self-Assessment Questionnaire ("SAQ").
- Submit an Attestation of Compliance ("AOC") Form.
-
Every year:
- Complete a Self-Assessment Questionnaire ("SAQ").
- Submit an Attestation of Compliance ("AOC") Form.
-
Every year:
- Complete a Self-Assessment Questionnaire (“SAQ”) or alternative validation exercise as defined by Acquirer.
Technology Innovation Program
Invest in secure technology and make compliance easier.
U.S. merchants that have acted to help prevent counterfeit fraud by investing in secure technology can benefit from Visa's Technology Innovation Program (TIP). This program rewards eligible merchants by eliminating the requirement to verify compliance with the PCI DSS when at least 75 percent of yearly transactions originate through any combination of the dual-interface EMV chip-enabled terminals, a validated point-to-point encryption solution or integrated industry-standard tokenization solution meeting EMVCo Tokenisation Specification.
Regulations + assessments
Visa Core Rules (VCR) governs the activities of client financial institutions and, by extension, merchants and service providers as participants in the Visa payment system.
A merchant's acquiring bank is responsible for ensuring the PCI Data Security Standard (DSS) compliance of the merchant and any service providers the merchant is using. As a merchant, you must maintain full compliance at all times. (VCR section ID #0002228 and #0008031).
If a merchant does not comply with the PCI DSS or fails to rectify a security issue, Visa may assess a non-compliance assessment to the merchant’s acquirer. The acquirer is responsible for paying all assessments and must not represent that Visa has imposed any assessment on the merchant. (VCR section ID #0001054)
Assessments may be waived if there is no evidence of PCI DSS non-compliance prior to, and at the time of a data breach, as demonstrated during a forensic investigation.
Service providers + payment applications
Support secure transactions by partnering only with approved service providers and payment applications.
Service providers
Service providers handle Visa cardholder information on your behalf. Your acquirer ensures service providers comply with the PCI DSS. Compliance validation is required for all service providers.
Payment software
Use only secure, validated payment software.
Payment Application Data Security Standard (PA-DSS)
Products that meet the PCI Payment Application Data Security Standard (PA-DSS) help merchants mitigate compromises, prevent storage of sensitive cardholder data, and support overall compliance with the PCI DSS.
Software Security Framework (SSF)
The PCI Software Security Framework (SSF) will replace the PA-DSS and supports a broader array of payment software types, technologies, and development methodologies.
Notify Visa
If you discover a vulnerable payment application where sensitive cardholder data is stored, please notify us at cisp@visa.com.
Security programs
Stay up-to-date with the latest security standards.
Global PIN Security Program
Merchants that acquire PIN transactions and/or perform key management services for themselves must comply with the Visa PIN Security requirements.
Use the links below to learn more about Visa’s Global PIN Security Program:
Skimming Prevention: Best Practices for Merchants
Learn more about joining the Qualified Integrator Reseller (QIR) Program
The PCI Qualified Integrators & Resellers (QIR)™ training and qualification program provides training and tools to ensure a secure installation for your merchants‘ PA-DSS validated payment systems. By becoming a QIR, merchants will be able to use your services to meet the requirements outlined by payment brands.
More resources
Find more information on protecting your business.
- Minimizing Payment Risks for Merchants Using Integrators/Resellers(PDF,1.2MB)
- Cybercriminals Targeting Point of Sale Integrators (PDF,984KB)
- Effectively Managing Data Breaches (PDF, 984KB)
- 5 Important Visa Rules That Every Merchant Should Know (PDF,587KB)
- Identifying and Mitigating Threats to E-commerce Payment Processing (PDF,1.0MB)
- Payment Application Security Mandates (PDF, 61K)