Acquirers are responsible for ensuring that all of their merchants protect Visa account information. Compliance with the Account Information Security (AIS) program is mandatory. Merchants must validate compliance at one of four merchant levels, depending on the volume of Visa transactions.
Acquirers are responsible for determining these levels for merchants. The transaction volume is based on the aggregate number of Visa transactions processed by a merchant. To confirm merchant level, please contact your Acquirer.
| Merchant Level | Description |
| 1 |
Any merchant (regardless of acceptance channel) processing over 6,000,000 Visa transactions per year. Any merchant that Visa, in its sole discretion, determines should meet the Level 1 Merchant requirements, to minimize risk to the Visa system. |
| 2 |
Any merchant (regardless of acceptance channel) processing 1,000,000 to 6,000,000 Visa transactions per year. |
| 3 |
Any merchant processing 20,000 to 1,000,000 Visa eCommerce transactions per year. |
| 4 |
Any merchant processing fewer than 20,000 Visa eCommerce transactions per year, and all other merchants (regardless of acceptance channel) processing up to 1,000,000 Visa transactions per year. |
In addition to adhering to the 12 security requirements and sub-requirements of the Payment Card Industry's Data Security Standard (PCI-DSS), compliance validation is required for Level 1, Level 2 and Level 3 merchants. It is strongly recommended for Level 4 merchants as well.
| Merchant Level | Validation Action | Validated by | Due Date |
| 1 | On-site review | QSA | 9/30/2010 |
| PCI Security Scans | ASV | ||
| 2 | Annual PCI Questionnaire | Acquirer | 9/30/2011 |
| PCI Security Scans | ASV | ||
| 3 | Annual PCI Questionnaire | Acquirer | 12/31/2005 |
| PCI Security Scans | ASV | ||
| 4** | Annual PCI Questionnaire | N/A | |
| PCI Security Scans | ASV |
Merchant must demonstrate compliance by submitting the required documentation to its Acquirer. This documentation must be made available to Visa upon request. Compliance validation is performed at the merchant's expense.
The Annual PCI Questionnaire and Annual On-Site PCI Data Security Assessment must be completed by Level 1 merchants according to the PCI DSS Security Assessment Procedures, and the results provided to the Acquirer. The PCI-DSS procedures are to be used as a template for the Report on Compliance. Although Acquirers are responsible for the security of Visa cardholder data wherever they are housed, the scope of AIS compliance validation for Level 1 merchants is focused on any system(s) or system component(s) related to authorization and settlement where Visa cardholder data are stored, processed or transmitted.
Every other year, Level 1 merchants (but not service providers) may choose to have their internal audit department perform their PCI-DSS review, provided:
If an internal audit is not used, a QSA must perform the validation.
The Annual PCI Questionnaire and PCI Security Scans must be completed by Level 2 and 3 merchants. The Annual PCI Questionnaire must be submitted to the merchant's Acquirer. The Annual PCI Questionnaire must address any system(s) or system component(s) involved in processing, storing or transmitting Visa cardholder data.
Level 4 merchants must also comply with the PCI Data Security Standard; however, the method of compliance validation for the merchant in this category is determined by the merchant's Acquirer.