Information Security

Compliance Validation

Separate and distinct from the mandate to comply with the PCI DSS is the validation of compliance whereby entities verify and demonstrate their compliance status. It is a fundamental and critical function that identifies and corrects vulnerabilities, and protects customers by ensuring that appropriate levels of cardholder information security are maintained.

Visa has prioritized and defined levels of compliance validation based on the volume of transactions, the potential risk, and exposure introduced into the payment system by merchants and service providers.

 

Compliance Validation Criteria for Merchants

Acquirers are responsible for ensuring that all their merchants comply with PCI data security requirements; however, merchant compliance validation has been prioritized based on the volume of transactions, the potential risk, and exposure introduced into the payment system.

All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As ("DBA"). Merchant levels are defined as:

 

Level / Tier Merchant Criteria Validation Requirements

1
  • Merchants processing over 6 million Visa transactions annually (all channels) or
  • Global merchants identified as Level 1 by any Visa region ••
  • Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA)
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance Form

2
  • Merchants processing 1 million to 6 million Visa transactions annually (all channels)
  • Annual Self-Assessment Questionnaire (SAQ)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

3
  • Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

4
  • Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually
  • Annual SAQ recommended
  • Quarterly network scan by ASV, if applicable
  • Compliance validation requirements set by acquirer

• Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

 

• • A merchant meeting Level 1 criteria in any Visa country/region that operates in more than one country/region is considered a global Level 1 merchant. Exceptions may apply to global merchants if no common infrastructure exists or if Visa data is not aggregated across borders; in such cases the merchant validates according to regional levels.

 

Validation Criteria for Service Providers

A service provider may be any organization that stores, processes or transmits information, usually on behalf of a bank, merchant or another service provider.

Both issuers and acquirers must use, and are responsible for ensuring that their merchants use, service providers that are compliant with the PCI Data Security Standard (DSS). To locate a certified service provider, download the list of PCI DSS –Compliant Service Providers

All Service Providers will fall into one of two service provider levels:

No se incluye en la lista global de Visa
Procesador, o cualquier proveedor de servicios que almacena, procesa y/o transmite más de 300,000 transacciones Visa por año.
No se incluye en la lista global de Visa
No se incluye en la lista global de Visa
No se incluye en la lista global de Visa
Level All Regions Validation Requirements Result

1

VisaNet processors or any service provider that stores, processes and/or transmits over 300,000 transactions per year
  • Annual ROC by QSA
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

Included on Visa's List of PCI DSS Compliant Service Providers

2

Any service provider that stores, processes and/or transmits less than 300,000 transactions per year
  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

Not included on Visa's List of PCI DSS Compliant Service Providers/Confirmation Letter of Receipt•

• May choose to validate as a Level 1 service provider to be included in Visa's List of PCI DSS Compliant Service Providers.

 

Compliance Validation Deadlines

The following table provides requirements and dates for compliance related to PCI data security standards for participating entities of the Visa System:


30 de Septiembre 2010
Proveer confirmación que no se almacena información sensitiva de autenticación (ej.: contenido de banda magnética, CVV2 o datos del PIN)
30 de Septiembre 2010
30 de Septiembre 2010
30 de Septiembre 2010
30 de Septiembre 2010
Entities Requirement Deadline

Level 1 and 2 Merchants

Provide confirmation that do not retain sensitive authentication data (i.e., full magnetic stripe/track, CVV2 or PIN data) after transaction authorization.

September 30, 2009

Level 1 Merchants

Confirmation of full compliance with PCI Data Security Standards (DSS)

September 30, 2010

Processors

Confirmation of full compliance with PCI Data Security Standards (DSS)

September 30, 2010