Merchants

Overview

Acquirers are responsible for ensuring that all their merchants comply with the PCI Data Security Standard (DSS) requirements; however, merchant compliance validation has been prioritized based on the volume of transactions, the potential risk, and exposure introduced into the payment system.

Prohibited Data Storage Deadline for Level 1 and 2 Merchants
By 30 September 2009, acquirers must confirm that their Level 1 and 2 merchants do not retain sensitive authentication data (i.e., full magnetic stripe/track, CVV2 or PIN data) after transaction authorization.
PCI DSS Compliance Validation Deadline for Level 1 merchants
By 30 September 2010, acquirers must attest that each of their Level 1 merchants has validated full PCI DSS compliance.
Level 1, 2 and 3 merchant compliance reporting
To ensure compliance with the AIS program requirements acquirers must report Level 1, 2 and 3 merchant compliance status twice a year (31st of March and 30th of September 2009) as follows:

  • Acquirer reports to include status of each Level 1 merchant
  • Acquirer reports to include status of each Level 2 merchant
  • Statistical reporting metrics for Level 3 merchants

Note: Acquirer reports to also include qualifying Level 1 and 2 merchants for Technology Innovation Program (TIP).

Merchant Levels

All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As ("DBA"). In cases where a merchant corporation has more than one DBA, acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA's individual transaction volume to determine the validation level.

Merchant Level*
Description
1
Merchants processing over 6 million Visa transactions annually (all channels) or global merchants identified as Level 1 by any Visa region**
Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
2
Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.
3
Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.
4
Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.

*
Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.
**
A merchant meeting Level 1 criteria in any Visa country/region that operates in more than one country/region is considered a global Level 1 merchant. Exceptions may apply to global merchants if no common infrastructure exists or if Visa data is not aggregated across borders; in such cases the merchant validates according to regional levels

Compliance validation requirements

In addition to adhering to the PCI Data Security Standard, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants.

Level
Validation Action
Validated By
1
Annual On-site PCI Data Security Assessment and Quarterly Network Scan
Qualified Security Assessor or Internal Audit if signed by Officer of the company
Approved Scanning Vendor
2
Annual PCI Self-Assessment Questionnaire (SAQ) and Quarterly Network Scan
Merchant
Approved Scanning Vendor
3
Annual PCI Self-Assessment Questionnaire (SAQ) and Quarterly Network Scan
Merchant
Approved Scanning Vendor
4*
Annual PCI Self-Assessment Questionnaire (SAQ) and Quarterly Network Scan (if applicable)
Merchant
Approved Scanning Vendor

*The PCI DSS requires that all merchants with externally-facing IP addresses perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants.

Validation procedures and documentation

Acquirers must ensure that their merchants validate at the appropriate level and obtain the required compliance validation documentation from their merchants. Acquirers must submit bi-annual status reports to Visa and all compliance validation documentation must be made available to Visa upon request. Acquirers and merchants should also verify the compliance reporting requirements of other payment card brands which may require proof of compliance validation. Compliance validation takes place at the merchant's expense, as follows:

Level 1 Merchants

Quarterly Network Security Scans and an Annual On-Site PCI Data Security Assessment must be completed for Level 1 merchants according to the PCI Requirements and Security Assessment Procedures document . This document is also to be used as the template for the Report on Compliance.

Level 1 merchants should engage a Qualified Security Assessor to complete the Report on Compliance and provide the report to their acquirer. Alternatively, acquirers may elect to accept the Report on Compliance from a level 1 merchant, if an internal review has taken place, provided that the report is signed by a merchant officer (CTO, CFO, CEO, CCO).

Acquirers must submit the merchant compliance validation report to Visa upon receipt and acceptance of the merchant's validation documentation.

Download the PCI Requirements and Security Assessment Procedures .
Download the merchant compliance validation report.

Level 2/Level 3 Merchants

The Annual PCI Self-Assessment Questionnaire and Quarterly Network Security Scans must be completed by Level 2 and 3 merchants. Acquirers are responsible for ensuring that the quarterly network security scans required of their merchants are performed by an Approved Scanning Vendor. The Quarterly Network Security Scan is applicable to merchants with externally-facing IP addresses.

Download the PCI Security Scanning Procedures .
Download the PCI Self-Assessment Questionnaire.

Level 4 Merchants

Level 4 merchants may be required to complete the PCI Self-Assessment Questionnaire and/or Network Security Scan as specified by their acquirer.


Risk-based PCI DSS Validation

Visa is promoting secure payments through multiple layers of security that include the PCI Data Security Standards, increased use of secure technologies such as EMV chip with iCVV and leveraging available tools like encryption to devalue data. Through the risk-based PCI DSS validation merchants are able to meet Visa's compliance requirements by implementing key elements of the PCI DSS in conjunction with other risk control measures as outlined below.

Merchants that have implemented

  • end-to-end encryption1; and/or
  • process EMV chip transactions2 in countries where iCVV penetration3 is 75 percent or higher,
have the following two additional options to choose from when fulfilling Visa PCI DSS compliance validation requirements.

1. Merchants that have validated their compliance with milestones one through four of the PCI SSC's Prioritized Approach will be recognized as fulfilling Visa PCI DSS validation requirements.

Note: Only those merchants meeting all PCI DSS requirements are considered fully PCI DSS compliant. Acquirers of merchants that are not fully PCI DSS compliant remain liable for losses and potential fines resulting from a data compromise. Visa reserves the right to require merchants to validate full PCI DSS compliance in the event of the loss or theft of Visa cardholder data. The following table outlines this approach.

PCI SSC
Prioritized Approach Milestones
Visa validation requirements for merchants that have implemented end-to-end encryption and/or EMV chip with iCVV Visa
compliance
actions
1 Remove Sensitive Authentication Data and Limit Data Retention
Visa risk-based
PCI DSS validation
against milestones
one through four
required
Merchant has met
Visa's compliance validation requirements

Acquirer remains liable for losses and fines resulting from potential data compromise
of merchant
2 Protect the Perimeter, Internal, and Wireless Networks
3 Secure Applications
4 Protect through Monitoring and Access Control
5 Render Cardholder Data Unreadable
Validation against milestones
five and six recommended as deemed necessary
by Visa

Full PCI DSS
compliance
6
Achieve Final Compliance and Maintenance of
PCI DSS


2. Merchants that have attested to not storing prohibited data and process EMV chip transactions in markets where iCVV penetration is higher than 75 percent may exclude chip transactions from their overall annual transaction volume and define their merchant level by the annual volume of non-chip transactions.

When considering only non-chip transactions, acquirers may reduce their merchant's validation level by no more than one level from the original validation level based on the overall transaction volume. Accordingly, qualifying Level 1 merchants that process less than six million non-chip transactions may reduce their merchant level to Level 2 and validate PCI DSS compliance by completing the Self Assessment Questionnaire and quarterly vulnerability scans. Level 1 merchants, however, cannot be reduced to Level 3 or Level 4.


1 "End-to-end encryption" is defined as encryption of sensitive account data such as the primary account number, PIN and card verification values from the point of entry into the point-of-sale device via magnetic-stripe, chip or key entry through transaction submission for processing and anywhere cardholder data may traverse a merchant's network such that the data is never decrypted on the merchant's systems.
2 "Chip transaction" is defined as a transaction initiated by a chip card processed by a chip-enabled terminal by reading the cardholder data from the chip in accordance with the Visa International Operating Regulations.
3 Visa will advise acquirers of the level of iCVV penetration in their market when their merchant implements the risk-based approach to validate PCI DSS compliance.

Technology Innovation Program (TIP)

The Visa Technology Innovation Program (TIP) is part of Visa's ongoing strategy to protect the payment system and advance security practices that will help secure cardholder data. This program rewards and further encourages the use of EMV technology as it decreases the value of transaction data to criminals.

Effective 31 March 2011, this program allows qualifying merchants outside of the United States to discontinue their annual PCI DSS revalidation assessment. Qualifying merchants can reap meaningful savings, and will have the opportunity to re-invest those savings into additional technology to support dynamic data processing.

Minimum Merchant Qualification Standards
To qualify for the program and receive its benefits, merchants must meet all of the following criteria:
The merchant must have validated PCI DSS compliance previously or have submitted to Visa (via their acquirer) a defined remediation plan for achieving compliance based on a gap analysis.
The merchant must have confirmed that sensitive authentication data (i.e., the full contents of magnetic stripe, CVV2 and PIN data) is not stored, as defined in the PCI DSS.
At least 75 percent of the merchant's transaction count must originate from enabled Chip-Reading Device1 terminals (i.e., contact and/or dual interface contact / contactless terminals).
The merchant must not be involved in a breach of cardholder data. A breached merchant may qualify for TIP if they have subsequently validated PCI DSS compliance.

Merchants that do not meet the above minimum merchant qualification standards and merchants whose transaction volume is primarily from e-commerce and MO/TO acceptance channels are required to continue validating their PCI DSS compliance annually in accordance with Visa compliance programs.

All merchants are required to maintain ongoing PCI DSS compliance and protect their customers' data. Acquirers retain full responsibility for merchants' PCI DSS compliance, as well as responsibility for any fees, fines or penalties, which may be applicable in the event of a data breach.

Enabled Chip-Reading Devices must have current, valid EMV approval and pass Visa Acquirer Device Validation Toolkit (ADVT) / Visa payWave Test Tool (VpTT) implementation requirements as applicable and comply with the Visa Transaction Acceptance Device Requirements (TADR).