Overview

Acquirers are responsible for ensuring that all their merchants comply with the PCI Data Security Standard (DSS) requirements; however, merchant compliance validation has been prioritized based on the volume of transactions, the potential risk, and exposure introduced into the payment system. 
 

Prohibited Data Storage Deadline for Level 1 and 2 Merchants

By 30 September 2009, acquirers must confirm that their Level 1 and 2 merchants do not retain sensitive authentication data (i.e., full magnetic stripe/track, CVV2 or PIN data) after transaction authorization.

PCI DSS Compliance Validation Deadline for Level 1 merchants

By 30 September 2010, acquirers must attest that each of their Level 1 merchants has validated full PCI DSS compliance.

Level 1, 2 and 3 merchant compliance reporting

To ensure compliance with the AIS program requirements acquirers must  report Level 1, 2 and 3 merchant compliance status twice a year (31st of March and 30th of September 2009) as follows:   Acquirer reports to include status of each Level 1 merchant Acquirer reports to include status of each Level 2 merchant Statistical reporting metrics for Level 3 merchants Download the merchant compliance validation report

Merchant Levels

All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As ("DBA"). In cases where a merchant corporation has more than one DBA, acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA's individual transaction volume to determine the validation level. 

Merchant Level*	Description
1	Merchants processing over 6 million Visa transactions annually (all channels) or global merchants identified as Level 1 by any Visa region** Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
2	Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.
3	Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.
4	Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.

 

*	Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.
**	A merchant meeting Level 1 criteria in any Visa country/region that operates in more than one country/region is considered a global Level 1 merchant. Exceptions may apply to global merchants if no common infrastructure exists or if Visa data is not aggregated across borders; in such cases the merchant validates according to regional levels

Compliance validation requirements

In addition to adhering to the PCI Data Security Standard, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants. 

Level	Validation Action	Validated By
1	Annual On-site PCI Data Security Assessment and Quarterly Network Scan	Qualified Security Assessor or Internal Audit if signed by Officer of the company Approved Scanning Vendor
2	Annual PCI Self-Assessment Questionnaire (SAQ) and Quarterly Network Scan	Merchant  Approved Scanning Vendor
3	Annual PCI Self-Assessment Questionnaire (SAQ) and Quarterly Network Scan	Merchant    Approved Scanning Vendor
4*	Annual PCI Self-Assessment Questionnaire (SAQ) and Quarterly Network Scan (if applicable)	Merchant  Approved Scanning Vendor

 
*The PCI DSS requires that all merchants with externally-facing IP addresses perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants.

Validation procedures and documentation

Acquirers must ensure that their merchants validate at the appropriate level and obtain the required compliance validation documentation from their merchants. Acquirers must submit bi-annual status reports to Visa and all compliance validation documentation must be made available to Visa upon request. Acquirers and merchants should also verify the compliance reporting requirements of other payment card brands which may require proof of compliance validation. Compliance validation takes place at the merchant's expense, as follows:
 
Level 1 Merchants
 
Quarterly Network Security Scans and an Annual On-Site PCI Data Security Assessment must be completed for Level 1 merchants according to the PCI Requirements and Security Assessment Procedures document . This document is also to be used as the template for the Report on Compliance.
 
Level 1 merchants should engage a Qualified Security Assessor to complete the Report on Compliance and provide the report to their acquirer.  Alternatively, acquirers may elect to accept the Report on Compliance from a level 1 merchant, if an internal review has taken place, provided that the report is signed by a merchant officer (CTO, CFO, CEO, CCO).
 
Acquirers must submit the merchant compliance validation report to Visa upon receipt and acceptance of the merchant’s validation documentation.
 
Download the PCI Requirements and Security Assessment Procedures .
Download the merchant compliance validation report.
 
Level 2/Level 3 Merchants
 
The Annual PCI Self-Assessment Questionnaire and Quarterly Network Security Scans must be completed by Level 2 and 3 merchants. Acquirers are responsible for ensuring that the quarterly network security scans required of their merchants are performed by an Approved Scanning Vendor. The Quarterly Network Security Scan is applicable to merchants with externally-facing IP addresses.
 
Download the PCI Security Scanning Procedures .
Download the PCI Self-Assessment Questionnaire.
 
Level 4 Merchants
 
Level 4 merchants may be required to complete the PCI Self-Assessment Questionnaire and/or Network Security Scan as specified by their acquirer.

Risk-based PCI DSS Validation

Visa is promoting secure payments through multiple layers of security that include the PCI Data Security Standards, increased use of secure technologies such as EMV chip with iCVV and leveraging available tools like encryption to devalue data. Through the risk-based PCI DSS validation merchants are able to meet Visa's compliance requirements by implementing key elements of the PCI DSS in conjunction with other risk control measures as outlined below. 
 
Merchants that have implemented

• end-to-end encryption¹; and/or
• process EMV chip transactions² in countries where iCVV penetration³ is 75 percent or higher,

1.

Merchants that have validated their compliance with milestones one through four of the PCI SSC's Prioritized Approach will be recognized as fulfilling Visa PCI DSS validation requirements.

Note: Only those merchants meeting all PCI DSS requirements are considered fully PCI DSS compliant. Acquirers of merchants that are not fully PCI DSS compliant remain liable for losses and potential fines resulting from a data compromise. Visa reserves the right to require merchants to validate full PCI DSS compliance in the event of the loss or theft of Visa cardholder data. The following table outlines this approach.

PCI SSC Prioritized Approach Milestones		Visa validation requirements for merchants that have implemented end-to-end encryption and/or EMV chip with iCVV	Visa compliance actions
1	Remove Sensitive Authentication Data and Limit Data Retention	Visa risk-based PCI DSS validation against milestones one through four required	Merchant has met Visa's compliance validation requirements   Acquirer remains liable for losses and fines resulting from potential data compromise of merchant
2	Protect the Perimeter, Internal, and Wireless Networks
3	Secure Applications
4	Protect through Monitoring and Access Control
5	Render Cardholder Data Unreadable	Validation against milestones five and six recommended as deemed necessary by Visa	Full PCI DSS compliance
6	Achieve Final Compliance and Maintenance of PCI DSS

2.

Merchants that have attested to not storing prohibited data and process EMV chip transactions in markets where iCVV penetration is higher than 75 percent may exclude chip transactions from their overall annual transaction volume and define their merchant level by the annual volume of non-chip transactions.

When considering only non-chip transactions, acquirers may reduce their merchant's validation level by no more than one level from the original validation level based on the overall transaction volume. Accordingly, qualifying Level 1 merchants that process less than six million non-chip transactions may reduce their merchant level to Level 2 and validate PCI DSS compliance by completing the Self Assessment Questionnaire and quarterly vulnerability scans. Level 1 merchants, however, cannot be reduced to Level 3 or Level 4.