|
|
 |
 |
|
| How Account Information Security Works | | |
What does the AIS program involve?
The AIS program is a requirement if you participate in the Visa payment system. Your acquiring bank will be responsible for ensuring that you meet Visa’s PCIDSS standards, and will be able to guide you through the AIS validation process. | |
How do I know if I meet the PCIDSS standards?
To check whether you organization meets the PCIDSS standards, you complete the following validation tasks (depending on the average monthly Visa volume you proess or cardholder data you handle):
- Self-Assessment Questionnaire (SAQ)
- Vulnerability scan
- Onsite review
| |
Do I have to complete all the validation tasks?
Service Providers
| More than 600,000 Visa transactions per year
| Between 120,000 and 600,000 Visa transactions per year
| Less than 120,000 Visa transactions
| Self assessment questionnaire
| Optional
| Mandated
| Mandated
| Quarterly network scan
| Mandated
| Mandated
| Recommended
| Onsite review
| Mandated
| Recommended
| Recommended
|
Merchants
Merchant level
| Validation task
| Level 1
| Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year.
| · Annual PCI DSS onsite review
· Quarterly network scans
| Level 2
| Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.
| · Quarterly network scans
· Annual Self-Assessment Questionnaire
| Level 3
| Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.
| · Quarterly network scans
· Annual Self-Assessment Questionnaire
| Level 4
| Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.
| · Annual Self-Assessment Questionnaire - recommended
|
* includes all transactions, regardless of the type / channel
| | | |
How often do the validation tasks need to be completed?
All entities that process Visa transactions should ensure they complete the AIS validation tasks on an annual basis. It is expected that your organization already regularly reviews and tests security procedures. Validation to the PCIDSS standards should be part of this process.
Required documentation:
Members are required to submit the following documentation:
- Certificate of Compliance (CoC) - indicating full or partial compliance of the Service Provider / Merchant
- Summary of Findings - signed off by the QSA if onsite audit was performed. Refer to Payment Card Industry (PCI) Data Security Standard Security Audit Procedures version 1.1 (Attachment 4)
For entities that are not fully compliant at the time of validation, the following documents are required to be submitted in addition to the Certificate of Compliance:
- Remediation plan – signed off by the QSA
- Letter confirming the target date of full compliance signed by member bank
Once remediation tasks have been completed, a final Certificate of Compliance must be submitted indicating full compliance.
 Certificate of Compliance (Service Provider)
Certificate of Compliance (Merchant)
| |
What acknowledgement of validation to PCIDSS standards will be received?
Your acquiring bank will inform you about the validation tasks you are required to complete and the validation deadline. Your acquiring bank will inform Visa of your compliance status via the Certificate of Compliance.
Being PCIDSS compliant gives you a competitive edge and a channel to demonstrate a high level of security to your customers and other industry and regulatory bodies.
| |
What if I choose not to be involved in the AIS program?
Visa can enforce the AIS program using financial penalties on all acquirers and may require that specific actions be taken to protect account and transaction Information.
Should a compromise occur and your organization has not taken the appropriate steps to ensure that account information was protected, your acquiring bank may be financially penalized.
| | | |
|
|
|
