Visa customers must comply with the Account Information Security program (AIS) and are responsible for ensuring their merchants, service providers and merchants’ service providers comply. Though there may not be a direct contractual relationship between merchant service providers and Acquirers, customers remain responsible for any liability that may occur as a result of not complying with the Payment Card Industry’s Data Security Standard (PCI-DSS). Acquirers must include an AIS compliance provision in all contracts with merchants and non-member agents.
Issuers, Acquirers and merchants may disclose Visa transaction information only to service providers approved by Visa.
To receive approval, a service provider must comply with PCI-DSS requirements – the foundation of the AIS program. Any Acquirer that discloses or allows its merchants to disclose Visa transaction information to a third party without AIS compliance will be subject to fines.
If a customer, merchant or service provider does not comply with the PCI-DSS requirements, fails to rectify a security issue or fails to meet dates imposed by Visa for enrollment with a Qualified Security Assessor or validating compliance with the PCI-DSS requirements, Visa may:
Acquirers are protected from fines for merchants or service providers that have validated compliance through a Qualified Security Assessor and have subsequently been compromised but found to be AIS-compliant at the time of the security breach. Alternatively, Acquirers are subject to fines for any merchant or service provider that is not AIS-compliant at the time of the security incident.
A customer or the customer's service provider, or a merchant or the merchant's service provider, must immediately report the suspected or confirmed loss or theft of any material or records that contain Visa cardholder data.
Acquirers that know or suspect a security breach with a merchant or service provider must take immediate action to investigate the incident and limit the exposure of cardholder data. If an Acquirer fails to immediately notify Visa Canada Risk Management & Security of the suspected or confirmed loss or theft of any Visa transaction information, the Acquirer will be subject to fines.
Additional fines may be levied in exceptional circumstances where the violation presents immediate and substantial risks to Visa and its customers.