Cardholders   Commercial   Merchants   Value of Visa   Media Center      Southeast Asia  
Search:

Navigation

    Card Acceptance Agents Account Info Security Chip Technology Travellers Cheque Acceptance Merchant Education

Account Information Security (AIS)


Overview

Acquirers are responsible for ensuring that all their merchants comply with the PCI Data Security Standard (DSS) requirements; however, merchant compliance validation has been prioritized based on the volume of transactions, the potential risk, and exposure introduced into the payment system. 
 

Merchant Levels

All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As ("DBA"). In cases where a merchant corporation has more than one DBA, acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA's individual transaction volume to determine the validation level. 

 
Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.
A merchant meeting Level 1 criteria in any Visa country/region that operates in more than one country/region is considered a global Level 1 merchant. Exceptions may apply to global merchants if no common infrastructure exists or if Visa data is not aggregated across borders; in such cases the merchant validates according to regional levels

Compliance validation requirements

In addition to adhering to the PCI Data Security Standard, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants. 

 
*The PCI DSS requires that all merchants with externally-facing IP addresses perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants.

Validation procedures and documentation

Acquirers must ensure that their merchants validate at the appropriate level and obtain the required compliance validation documentation from their merchants. Acquirers must submit bi-annual status reports to Visa and all compliance validation documentation must be made available to Visa upon request. Acquirers and merchants should also verify the compliance reporting requirements of other payment card brands which may require proof of compliance validation. Compliance validation takes place at the merchant's expense, as follows:
 
Level 1 Merchants
 
Quarterly Network Security Scans and an Annual On-Site PCI Data Security Assessment must be completed for Level 1 merchants according to the PCI Requirements and Security Assessment Procedures document . This document is also to be used as the template for the Report on Compliance.
 
Level 1 merchants should engage a Qualified Security Assessor to complete the Report on Compliance and provide the report to their acquirer.  Alternatively, acquirers may elect to accept the Report on Compliance from a level 1 merchant, if an internal review has taken place, provided that the report is signed by a merchant officer (CTO, CFO, CEO, CCO).
 
Acquirers must submit the merchant compliance validation report to Visa upon receipt and acceptance of the merchant’s validation documentation.
 
Download the PCI Requirements and Security Assessment Procedures .
Download the merchant compliance validation report.
 
Level 2/Level 3 Merchants
 
The Annual PCI Self-Assessment Questionnaire and Quarterly Network Security Scans must be completed by Level 2 and 3 merchants. Acquirers are responsible for ensuring that the quarterly network security scans required of their merchants are performed by an Approved Scanning Vendor. The Quarterly Network Security Scan is applicable to merchants with externally-facing IP addresses.
 
Download the PCI Security Scanning Procedures .
Download the PCI Self-Assessment Questionnaire.
 
Level 4 Merchants
 
Level 4 merchants may be required to complete the PCI Self-Assessment Questionnaire and/or Network Security Scan as specified by their acquirer.

Risk-based PCI DSS Validation

Visa is promoting secure payments through multiple layers of security that include the PCI Data Security Standards, increased use of secure technologies such as EMV chip with iCVV and leveraging available tools like encryption to devalue data. Through the risk-based PCI DSS validation merchants are able to meet Visa's compliance requirements by implementing key elements of the PCI DSS in conjunction with other risk control measures as outlined below. 
 
Merchants that have implemented

  • end-to-end encryption1; and/or
  • process EMV chip transactions2 in countries where iCVV penetration3 is 75 percent or higher,
have the following two additional options to choose from when fulfilling Visa PCI DSS compliance validation requirements.
 
Merchants that have validated their compliance with milestones one through four of the PCI SSC's Prioritized Approach will be recognized as fulfilling Visa PCI DSS validation requirements.

Note: Only those merchants meeting all PCI DSS requirements are considered fully PCI DSS compliant. Acquirers of merchants that are not fully PCI DSS compliant remain liable for losses and potential fines resulting from a data compromise. Visa reserves the right to require merchants to validate full PCI DSS compliance in the event of the loss or theft of Visa cardholder data. The following table outlines this approach. 
 
 

Merchants that have attested to not storing prohibited data and process EMV chip transactions in markets where iCVV penetration is higher than 75 percent may exclude chip transactions from their overall annual transaction volume and define their merchant level by the annual volume of non-chip transactions.

When considering only non-chip transactions, acquirers may reduce their merchant's validation level by no more than one level from the original validation level based on the overall transaction volume. Accordingly, qualifying Level 1 merchants that process less than six million non-chip transactions may reduce their merchant level to Level 2 and validate PCI DSS compliance by completing the Self Assessment Questionnaire and quarterly vulnerability scans. Level 1 merchants, however, cannot be reduced to Level 3 or Level 4. 
 

"End-to-end encryption" is defined as encryption of sensitive account data such as the primary account number, PIN and card verification values from the point of entry into the point-of-sale device via magnetic-stripe, chip or key entry through transaction submission for processing and anywhere cardholder data may traverse a merchant's network such that the data is never decrypted on the merchant's systems. 
"Chip transaction" is defined as a transaction initiated by a chip card processed by a chip-enabled terminal by reading the cardholder data from the chip in accordance with the Visa International Operating Regulations.
Visa will advise acquirers of the level of iCVV penetration in their market when their merchant implements the risk-based approach to validate PCI DSS compliance.

Technology Innovation Program (TIP)

The Visa Technology Innovation Program (TIP) is part of Visa’s ongoing strategy to protect the payment system and advance security practices that will help secure cardholder data. This program rewards and further encourages the use of EMV technology as it decreases the value of transaction data to criminals. 
 
Effective 31 March 2011, this program allows qualifying merchants outside of the United States to discontinue their annual PCI DSS revalidation assessment. Qualifying merchants can reap meaningful savings, and will have the opportunity to re-invest those savings into additional technology to support dynamic data processing.
 
Minimum Merchant Qualification Standards
To qualify for the program and receive its benefits, merchants must meet all of the following criteria:
The merchant must have validated PCI DSS compliance previously or have submitted to Visa (via their acquirer) a defined remediation plan for achieving compliance based on a gap analysis.
The merchant must have confirmed that sensitive authentication data (i.e., the full contents of magnetic stripe, CVV2 and PIN data) is not stored, as defined in the PCI DSS. 
At least 75 percent of the merchant’s transaction count must originate from enabled Chip-Reading Device1 terminals (i.e., contact and/or dual interface contact / contactless terminals).
The merchant must not be involved in a breach of cardholder data. A breached merchant may qualify for TIP if they have subsequently validated PCI DSS compliance.
 
Merchants that do not meet the above minimum merchant qualification standards and merchants whose transaction volume is primarily from e-commerce and MO/TO acceptance channels are required to continue validating their PCI DSS compliance annually in accordance with Visa compliance programs.
 
All merchants are required to maintain ongoing PCI DSS compliance and protect their customers’ data. Acquirers retain full responsibility for merchants’ PCI DSS compliance, as well as responsibility for any fees, fines or penalties, which may be applicable in the event of a data breach.


Enabled Chip-Reading Devices must have current, valid EMV approval and pass Visa Acquirer Device Validation Toolkit (ADVT) / Visa payWave Test Tool (VpTT) implementation requirements as applicable and comply with the Visa Transaction Acceptance Device Requirements (TADR). 

  • Printable Page

Quick Links

 
 
 
Home | About Visa | Careers | Site Map | Legal | Privacy Policy | Hyperlink Guidelines | Global Sites | Asia Pacific Sites
© Copyright Visa. All Rights Reserved.