Acquirers are responsible for ensuring that all their merchants comply with the PCI Data Security Standard (DSS) requirements; however, merchant compliance validation has been prioritized based on the volume of transactions, the potential risk, and exposure introduced into the payment system.
| Prohibited Data Storage Deadline for Level 1 and 2 Merchants |
| By 30 September 2009, acquirers must confirm that their Level 1 and 2 merchants do not retain sensitive authentication data (i.e., full magnetic stripe/track, CVV2 or PIN data) after transaction authorization. |
 |
| PCI DSS Compliance Validation Deadline for Level 1 merchants |
| By 30 September 2010, acquirers must attest that each of their Level 1 merchants has validated full PCI DSS compliance. |
|
| Level 1, 2 and 3 merchant compliance reporting |
To ensure compliance with the AIS program requirements acquirers must report Level 1, 2 and 3 merchant compliance status twice a year (31st of March and 30th of September 2009) as follows:
Note: Acquirer reports to also include qualifying Level 1 and 2 merchants for Technology Innovation Program (TIP). |
Merchant Levels
All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As ("DBA"). In cases where a merchant corporation has more than one DBA, acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA's individual transaction volume to determine the validation level.
| Merchant Level* |
Description |
| 1 |
Merchants processing over 6 million Visa transactions annually (all channels) or global merchants identified as Level 1 by any Visa region** Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. |
| 2 |
Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year. |
| 3 |
Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year. |
| 4 |
Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year. |
| * |
Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level. |
| ** |
A merchant meeting Level 1 criteria in any Visa country/region that operates in more than one country/region is considered a global Level 1 merchant. Exceptions may apply to global merchants if no common infrastructure exists or if Visa data is not aggregated across borders; in such cases the merchant validates according to regional levels |
Compliance validation requirements
In addition to adhering to the PCI Data Security Standard, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants.
| Level |
Validation Action |
Validated By |
| 1 |
Annual On-site PCI Data Security Assessment and Quarterly Network Scan |
Qualified Security Assessor or Internal Audit if signed by Officer of the company Approved Scanning Vendor |
| 2 |
Annual PCI Self-Assessment Questionnaire (SAQ) and Quarterly Network Scan |
Merchant Approved Scanning Vendor |
| 3 |
Annual PCI Self-Assessment Questionnaire (SAQ) and Quarterly Network Scan |
Merchant Approved Scanning Vendor |
| 4* |
Annual PCI Self-Assessment Questionnaire (SAQ) and Quarterly Network Scan (if applicable) |
Merchant Approved Scanning Vendor |
*The PCI DSS requires that all merchants with externally-facing IP addresses perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants.
Validation procedures and documentation
Acquirers must ensure that their merchants validate at the appropriate level and obtain the required compliance validation documentation from their merchants. Acquirers must submit bi-annual status reports to Visa and all compliance validation documentation must be made available to Visa upon request. Acquirers and merchants should also verify the compliance reporting requirements of other payment card brands which may require proof of compliance validation. Compliance validation takes place at the merchant's expense, as follows:
Level 1 Merchants
Quarterly Network Security Scans and an Annual On-Site PCI Data Security Assessment must be completed for Level 1 merchants according to the PCI Requirements and Security Assessment Procedures document . This document is also to be used as the template for the Report on Compliance.
Level 1 merchants should engage a Qualified Security Assessor to complete the Report on Compliance and provide the report to their acquirer. Alternatively, acquirers may elect to accept the Report on Compliance from a level 1 merchant, if an internal review has taken place, provided that the report is signed by a merchant officer (CTO, CFO, CEO, CCO).
Acquirers must submit the merchant compliance validation report to Visa upon receipt and acceptance of the merchant's validation documentation.
Download the PCI Requirements and Security Assessment Procedures .
Download the merchant compliance validation report.
Level 2/Level 3 Merchants
The Annual PCI Self-Assessment Questionnaire and Quarterly Network Security Scans must be completed by Level 2 and 3 merchants. Acquirers are responsible for ensuring that the quarterly network security scans required of their merchants are performed by an Approved Scanning Vendor. The Quarterly Network Security Scan is applicable to merchants with externally-facing IP addresses.
Download the PCI Security Scanning Procedures .
Download the PCI Self-Assessment Questionnaire.
Level 4 Merchants
Level 4 merchants may be required to complete the PCI Self-Assessment Questionnaire and/or Network Security Scan as specified by their acquirer.
Risk-based PCI DSS Validation
Visa is promoting secure payments through multiple layers of security that include the PCI Data Security Standards, increased use of secure technologies such as EMV chip with iCVV and leveraging available tools like encryption to devalue data. Through the risk-based PCI DSS validation merchants are able to meet Visa's compliance requirements by implementing key elements of the PCI DSS in conjunction with other risk control measures as outlined below.
Merchants that have implemented
-
end-to-end encryption1; and/or
-
process EMV chip transactions2 in countries where iCVV penetration3 is 75 percent or higher,
| 1. | Merchants that have validated their compliance with milestones one through four of the PCI SSC's Prioritized Approach will be recognized as fulfilling Visa PCI DSS validation requirements. |
| Note: Only those merchants meeting all PCI DSS requirements are considered fully PCI DSS compliant. Acquirers of merchants that are not fully PCI DSS compliant remain liable for losses and potential fines resulting from a data compromise. Visa reserves the right to require merchants to validate full PCI DSS compliance in the event of the loss or theft of Visa cardholder data. The following table outlines this approach. |
| PCI SSC Prioritized Approach Milestones |
Visa validation requirements for merchants that have implemented end-to-end encryption and/or EMV chip with iCVV | Visa compliance actions |
|
| 1 | Remove Sensitive Authentication Data and Limit Data Retention |
Visa risk-based PCI DSS validation against milestones one through four required |
Merchant has met Visa's compliance validation requirements Acquirer remains liable for losses and fines resulting from potential data compromise of merchant |
| 2 | Protect the Perimeter, Internal, and Wireless Networks |
||
| 3 | Secure Applications |
||
| 4 | Protect through Monitoring and Access Control |
||
| 5 | Render Cardholder Data Unreadable | Validation against milestones five and six recommended as deemed necessary by Visa |
Full PCI DSS compliance |
| 6 |
Achieve Final Compliance and Maintenance of PCI DSS |
||
| 2. | Merchants that have attested to not storing prohibited data and process EMV chip transactions in markets where iCVV penetration is higher than 75 percent may exclude chip transactions from their overall annual transaction volume and define their merchant level by the annual volume of non-chip transactions. |
| When considering only non-chip transactions, acquirers may reduce their merchant's validation level by no more than one level from the original validation level based on the overall transaction volume. Accordingly, qualifying Level 1 merchants that process less than six million non-chip transactions may reduce their merchant level to Level 2 and validate PCI DSS compliance by completing the Self Assessment Questionnaire and quarterly vulnerability scans. Level 1 merchants, however, cannot be reduced to Level 3 or Level 4. |
| 1 | "End-to-end encryption" is defined as encryption of sensitive account data such as the primary account number, PIN and card verification values from the point of entry into the point-of-sale device via magnetic-stripe, chip or key entry through transaction submission for processing and anywhere cardholder data may traverse a merchant's network such that the data is never decrypted on the merchant's systems. |
| 2 | "Chip transaction" is defined as a transaction initiated by a chip card processed by a chip-enabled terminal by reading the cardholder data from the chip in accordance with the Visa International Operating Regulations. |
| 3 | Visa will advise acquirers of the level of iCVV penetration in their market when their merchant implements the risk-based approach to validate PCI DSS compliance. |
