PCI DSS compliance with Visa

Visa’s Cardholder Information Security Program (CISP) is a compliance program intended to protect Visa cardholder data by ensuring clients, merchants, and service providers maintain the highest information security standard.

The PCI Security Standards Council (SSC) owns, maintains and manages the PCI DSS and all its supporting documents; however, Visa manages all data security compliance enforcement and validation initiatives.  

Issuers and acquirers are responsible for ensuring that all of their service providers, merchants and merchants’ service providers comply with the PCI DSS requirements.

Merchant compliance validation has been prioritized based on the volume of transactions, the potential risk and exposure introduced into the payment system.

Learn about the merchant levels

Issuer and acquirers must ensure all their Level 1 and Level 2 service providers demonstrate PCI DSS compliance at the time of Third Party Agents (TPA) registration and every 12 months thereafter.

Learn about service provider requirements (PDF)

Acquirers must ensure that their merchants validate at the appropriate level and obtain the required compliance validation documentation from their merchants. Merchant banks and merchants should also verify the compliance reporting requirements of other payment card brands which may require proof of compliance validation.

Level 1 Service Providers not directly connected to Visa are required to complete the annual on-site PCI data security assessment and submit an executed attestation of compliance (AOC), signed by both the service provider and the qualified security assessor (QSA) to Visa. Level 2 service providers must submit a signed self-assessment questionnaire (SAQ-D) form or an AOC including QSA signature. PCI DSS compliance validation is required before a service provider can be listed on the Visa Global Registry of Service Providers (the Registry).

Learn about service provider requirements (PDF)

The Visa Core Rules and Visa Product and Service Rules governs the activities of client financial institutions and, by extension, service providers and merchants as participants in the Visa payment system.

Issuers and acquirers are responsible for ensuring the PCI DSS compliance of its service providers and merchants, including service providers the merchant is using. A service provider and merchant must maintain full compliance at all times. (VCR section ID #0002228 and #0008031)

If a service provider or merchant does not comply with the PCI DSS or fails to rectify a security issue, Visa may assess a non-compliance assessment to the issuer or acquirer. The issuer or acquirer is responsible for paying all assessments and must not represent that Visa has imposed any assessment on the service provider or merchant. (VCR section ID #0001054)

Assessments may be waived if there is no evidence of PCI DSS non-compliance prior to, and at the time of, a data breach, as demonstrated during a forensic investigation.

Acquirers of compromised Level 3 and Level 4 merchants may be granted safe harbour from non-compliance assessments if the Level 3 or Level 4 merchant has implemented an approved security measure prior to the date of intrusion of the compromise event.

Acquirers can contact Visa Risk at [email protected] for more information regarding the Secure Acceptance Incentive Program.

Visa developed the PCI Compliance Acceleration Program to provide financial incentives and establish enforcement provisions for acquirers to ensure their merchants validate PCI DSS compliance.

In accordance with the PCI Compliance Acceleration Program, merchant banks must additionally ensure that all Level 1 and 2 merchants validate that prohibited data is not retained by submitting a completed Prohibited Data Retention Attestation form or the PCI DSS Attestation of Compliance (AOC).

Related content:

Merchant PCI DSS Compliance Update – a highlight of compliance progress for Level 1, 2 and 3 merchants

Visa developed TIP to recognize and acknowledge merchants that have taken action to prevent counterfeit fraud by investing in EMV chip technology. The programme is part of Visa's overall effort to introduce more dynamic authentication data into the payment system and prepare for the use of emerging technologies that aid in the protection of the payment system by encouraging merchant investment in contact and contactless chip payment terminals. Effective 1 April 2015, TIP qualification expanded to merchants that have invested in a validated point-to-point encryption solution.

Learn about qualifications

On January 1, 2008, Visa implemented a series of mandates to eliminate the use of vulnerable payment applications from the Visa payment system. These mandates require acquirers to ensure that their merchants and agents do not use payment applications known to retain sensitive cardholder data (i.e. full magnetic stripe data, CVV2 or PIN data) and require the use of payment applications that are compliant to the PA–DSS.

Security mandates

Visa Top Ten Best Practices for Payment Application Companies

While many payment application vendors have deployed PA–DSS compliant payment applications, there is growing concern that updates to payment software are not being consistently developed to ensure that known vulnerabilities are not being reintroduced. In addition, there is concern that payment software is not being securely implemented at customer sites.

Merchant and agent compromises reveal that a number of payment application companies have poor software practises when installing payment applications and systems, support customers using weak, shared or default access credentials and manage customer sites using poorly implemented remote management tools. Criminals can exploit these vulnerable entries and gain access to cardholder environments.

Visa has developed a set of best practices to help payment application companies address critical software processes. As part of their due diligence, acquirers, merchants and agents should ensure that the payment application companies they use have passed the rigour of mature software processes.

Visa Top Ten Best Practices for Payment Application Companies 

Visa has identified that certain payment applications are designed by software vendors to store sensitive cardholder data (i.e. full magnetic stripe data, CVV2 or PIN data) subsequent to transaction authorization. Storage of these cardholder data elements is in direct violation of the PCI DSS and Visa rules. Criminals are targeting merchants and agents that use these vulnerable payment applications and are exploiting these security vulnerabilities to find and steal cardholder data.

Visa will alert key stakeholders, including acquirers to help mitigate compromises, on an as-needed basis with an updated list of vulnerable payment applications. If you discover a vulnerable payment application and have specific information as to the payment application vendor, application version, where sensitive cardholder data is stored and vendor contact information, please notify Visa via email at [email protected]. All information provided will be verified through the software vendor, Visa will not reveal to any software vendor the source of information or disclose information that would reveal the source's identity.

Visa developed the Payment Application Best Practices (PABP) in 2005 to provide software vendors guidance in developing payment applications that help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data (i.e. full magnetic stripe data, CVV2 or PIN data) and support overall compliance with the PCI DSS. In 2008, the PCI Security Standards Council adopted Visa's PABP and released the standard as the PA–DSS. The PA–DSS now replaces PABP for the purpose of Visa's compliance program.