Payment Card Industry Data Security Standard (PCI DSS) compliance is required of all entities that store, process, or transmit Visa cardholder data, including financial institutions, merchants and service providers. Visa’s programs manage PCI DSS compliance by requiring that participants demonstrate compliance on a regular basis.
Keep your cardholders safe
Learn about Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS compliance
Visa’s Cardholder Information Security Program (CISP) is a compliance program intended to protect Visa cardholder data by ensuring clients, merchants, and service providers maintain the highest information security standard.
The PCI Security Standards Council (SSC) owns, maintains and manages the PCI DSS and all its supporting documents; however, Visa manages all data security compliance enforcement and validation initiatives.
Issuers and acquirers are responsible for ensuring that all of their service providers, merchants, and merchants’ service providers comply with the PCI DSS requirements.
Merchant compliance validation has been prioritized based on the volume of transactions, the potential risk, and exposure introduced into the payment system.
Learn about the merchant levels
Issuer and acquirers must ensure all their Level 1 and Level 2 service providers demonstrate PCI DSS compliance at the time of Third Party Agents (TPA) registration and every 12 months thereafter.
Acquirers must ensure that their merchants validate at the appropriate level and obtain the required compliance validation documentation from their merchants. Merchant banks and merchants should also verify the compliance reporting requirements of other payment card brands which may require proof of compliance validation.
Level 1 Service Providers not directly connected to Visa are required to complete the annual on-site PCI data security assessment and submit an executed attestation of compliance (AOC), signed by both the service provider and the qualified security assessor (QSA) to Visa. Level 2 service providers must submit a signed self-assessment questionnaire (SAQ-D) form or an AOC including QSA signature. PCI DSS compliance validation is required before a service provider can be listed on the Visa Global Registry of Service Providers (the Registry).
The Visa Core Rules and Visa Product and Service Rules governs the activities of client financial institutions and, by extension, service providers and merchants as participants in the Visa payment system.
Issuers and acquirers are responsible for ensuring the PCI DSS compliance of its service providers and merchants, including service providers the merchant is using. A service provider and merchant must maintain full compliance at all times. (VCR section ID #0002228 and #0008031)
If a service provider or merchant does not comply with the PCI DSS or fails to rectify a security issue, Visa may assess a non-compliance assessment to the issuer or acquirer. The issuer or acquirer is responsible for paying all assessments and must not represent that Visa has imposed any assessment on the service provider or merchant. (VCR section ID #0001054)
Acquirers can contact Visa Risk at [email protected] for more information.
PIN Security Program
Visa is simplifying PIN security compliance validation across all regions.
PIN Security Program Guide Now Public
The PIN Security Program Guide is now publicly available. The basic requirements of Visa’s PIN Security Program remain unchanged, however, the program guide has been updated to include clarifications and additional information, including:
- Identification of the Visa Core Rules and Visa Product and Service Rules specific to the Visa PIN Program
- Definitions of validating and non-validating participants
- Enhanced description of Encryption and Support Organizations (ESO)
PIN Security Webinar Deck and FAQ Now Available
In May 2015 Visa hosted a webinar for all PIN Security Program participants. Below is the deck that was presented and the accompanying FAQ based on questions asked during and after the webinar sessions.
PIN Security Enforcement Plan announced: 2015
Visa clients must ensure that their acquiring third party agents that are identified as Visa PIN program participants perform their compliance validation no later than December 31, 2015.
The letter below was sent to all PIN Program Participants that have not scheduled or performed their Visa PIN Security compliance validation.
Visa Introduces PIN Security Enforcement Plan
PCI PIN Security Requirements updated: 2015
To enhance validation methods and improve consistency with compliance assessments, the Payment Card Industry Security Standards Council has released version 2.0 of its PIN security requirements. Effective 1 July 2015, Visa PIN Security Program participants must start their PIN security compliance assessments according to version 2.0.
- PCI PIN Security Requirements
- Pin Entry Device (PED) Requirements
- PCI ATM Security Guidelines
- PCI PIN Security Assessment Questionnaire (SAQ) V2
- Registration and Compliance Requirements for Encryption Support Organizations
- Encrypting PIN Pads Must be Industry-Approved – PDF—07 December 2012
- Maximize Point-of-Sale PIN-Entry Device Security—06 December 2012
- Help Protect Cardholder Data From Attacks on PIN Entry Devices—16 November 2012
- Update On Visa’s Compliance Policy for TDES—22 April 2009
Payment Application Data Security Standard (PA-DSS)
Visa strongly encourages payment application vendors to develop and validate the conformance of their products to the PA–DSS. PA–DSS compliant applications help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data, and support overall compliance with the PCI DSS. PA–DSS applies only to third–party payment application software that stores, processes or transmits cardholder data as part of an authorization or settlement. In–house software applications are covered within a merchant or agent's PCI DSS assessment.
On January 1, 2008, Visa implemented a series of mandates to eliminate the use of vulnerable payment applications from the Visa payment system. These mandates require acquirers to ensure that their merchants and agents do not use payment applications known to retain sensitive cardholder data (i.e. full magnetic stripe data, CVV2 or PIN data) and require the use of payment applications that are compliant to the PA–DSS.
While many payment application vendors have deployed PA–DSS compliant payment applications, there is growing concern that updates to payment software are not being consistently developed to ensure that known vulnerabilities are not being reintroduced. In addition, there is concern that payment software is not being securely implemented at customer sites.
Merchant and agent compromises reveal that a number of payment application companies have poor software practices when installing payment applications and systems, support customers using weak, shared or default access credentials, and manage customer sites using poorly implemented remote management tools. Criminals can exploit these vulnerable entries and gain access to cardholder environments.
Visa has developed a set of best practices to help payment application companies address critical software processes. As part of their due diligence, acquirers, merchants and agents should ensure that the payment application companies they use have passed the rigor of mature software processes.
Visa Top Ten Best Practices for Payment Application Companies
Visa has identified that certain payment applications are designed by software vendors to store sensitive cardholder data (i.e. full magnetic stripe data, CVV2 or PIN data) subsequent to transaction authorization. Storage of these cardholder data elements is in direct violation of the PCI DSS and Visa rules. Criminals are targeting merchants and agents that use these vulnerable payment applications and are exploiting these security vulnerabilities to find and steal cardholder data.
Visa will alert key stakeholders, including acquirers to help mitigate compromises, on an as-needed basis with an updated list of vulnerable payment applications. If you discover a vulnerable payment application and have specific information as to the payment application vendor, application version, where sensitive cardholder data is stored and vendor contact information, please notify Visa via email at [email protected]. All information provided will be verified through the software vendor, Visa will not reveal to any software vendor the source of information or disclose information that would reveal the source's identity.
Visa developed the Payment Application Best Practices (PABP) in 2005 to provide software vendors guidance in developing payment applications that help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data (i.e. full magnetic stripe data, CVV2 or PIN data) and support overall compliance with the PCI DSS. In 2008, the PCI Security Standards Council adopted Visa's PABP and released the standard as the PA–DSS. The PA–DSS now replaces PABP for the purpose of Visa's compliance program.