Cardholders Commercial Merchants Value Of Visa Media Center
How to Get Started
Introduction   |   What is AIS   |   AIS benefits   |   How AIS works   |   How to get started   |   Downloads and resources   |   In case of compromise
Check to see if you meet the AIS standards.

Visa recommends the use of the PCI Self-Assessment Questionnaire, vulnerability scanning and onsite reviews as the most effective way for you to determine whether you meet the PCI standards.

Self-Assessment Questionnaire (SAQ)
Vulnerability scan
Onsite review
What is the cost?
Self-Assessment Questionnaire (SAQ)
The Self-Assessment Questionnaire is a free, confidential tool that can be used to gauge your compliance with the Payment Card Industry Data Security Standards (PCI DSS). The Self-Assessment Questionnaire is made up of ‘yes’ / ‘no’ questions. 
 
To prepare for and complete the online Self-Assessment Questionnaire, follow these steps:
 
  1. Familiarize yourself with the Payment Card Industry Data Security Standards  (see the ‘Downloads and Resources’ section).
  2. Most businesses will then want to download the printable Self-Assessment Questionnaire to gather responses before completing the online self-assessment. See the ‘Downloads and Resources’ section for the printable Self-Assessment Questionnaire or from Payment Card Industry Security Standards Council (PCI SSC).
  3. After downloading the printable form, the questions should be distributed to the appropriate experts within your company to obtain accurate answers. These experts frequently include individuals responsible for policy and compliance, physical security and information security.
  4. Complete the Self-Assessment Questionnaire.
 
The results of the online Self-Assessment Questionnaire will be made available to you in the PCI Assessment Report. This report will outline your assessed risk level.
 
All e-Commerce merchants who process less than 10,000 Visa accounts per month and have obtained the TrustSG seal (Singapore), automatically meet PCI standards. These merchants do not need to undertake the Self-Assessment Questionnaire. See www.trustsg.org.sg for more information on the TrustSG seal.
Vulnerability scan
An external vulnerability scan enables you to assess the level of security from potential external threats. Scanning tools are used to generate traffic that tests network equipment, hosts, and applications for known vulnerabilities. The scan is intended to identify these vulnerabilities so they can be corrected. 
 
External / remote vulnerability scanning - if your network is connected to the Internet, you are susceptible to intrusions from external ‘hackers’. As such, all of your Internet based network accessible devices should be scanned for vulnerability from outside your perimeter protection, such as a firewall.
 
The vulnerability scan will be a non-intrusive test. All scans must be conducted by a third party compliant network security scanning vendor, selected from the list of approved scanning vendors (ASVs) from Payment Card Industry Security Standards Council (PCI SSC) website.
 
Quarterly scans are required for all merchants and service providers whose average monthly transaction volume is over 10,000. The follow up vulnerability scans are to ensure the remediation was successful. If network or application modifications are made to the production environment, additional scans may be required to ensure that new vulnerabilities are not introduced into the infrastructure.
 
Visa strongly recommends that you perform internal and external (remote) network vulnerability scans regularly, as new vulnerabilities are constantly discovered.
Onsite review
The onsite review is an independent risk assessment recommended for all entities that process, store or transmit large volume of Visa accounts / transactions per month (See How Account Information Security Works for more information).   
 
Visa recommends that all onsite reviews be performed by a PCI SSC accrediated Qualified Security Assessor (QSA).  Merchants are allowed to opt for the onsite review to be performed by an internal auditor of the company.  The report will need to be sign-off by a management executive of the company and be submitted to the acquiring banks.
 
During the onsite review, the QSA or internal auditors of the merchant company will follow a set testing procedure, built around the 12 PCIDSS requirements.  You can obtain a copy of the Security Review Procedures that a QSA / internal auditor will perform during an onsite review from the Downloads and Resources section or Payment Card Industry Security Standards Council.
 
What is the cost?
The PCI online Self-Assessment Questionnaire and vulnerability scanning are provided by Visa Asia Pacific free of charge,  The actual process of assessment, verification and remediation takes place at your organization’s expense.  Length of time and cost of compliance depend on the extent to which you are already compliant. 
 
Visa recommends that the onsite review be performed by a PCI SSC accredited Qualified Security Assessor (QSA). Merchants are allowed to opt for the onsite review to be performed by an internal auditor of the company.  It is up to you to negotiate the cost of this service with your preferred Qualified Security Assessor (QSA).  Again, the actual process of assessment and verification takes place at your organization’s expense, and length of time and cost of compliance depend on the extent to which you are already in compliance.
 
 
It is recommended that organizations currently employing PCI SSC accrediited QSAs to perform annual reviews of their systems should simply expand the scope of the annual review to encompass the PCI standards.  This will reduce the cost and resource requirements associated with meeting these requirements.
  Back to top
Print this page   |
Tell a friend   |
Get a card
Home  |   About Visa  |   Careers  |   Sitemap  |   Legal  |   Privacy Policy  |   Hyperlink Guidelines  |   Global Sites  |   Asia Pacific Sites