Visa Sets 2009 Global PCI DSS Deadlines

Data Security Compliance Requirements Aligned Across Visa Regions

San Francisco, CA, November 10, 2008

Visa Inc. (NYSE: V) today announced global mandates for compliance with the Payment Card Industry Data Security Standard (PCI DSS), creating a consistent framework for compliance among merchants, service providers and their agents.     


 


The enhancements include a global set of requirements for merchants to validate their compliance with PCI DSS; and for the largest merchants, dates by which they must achieve validation.  Deadlines are also set for large and mid-level merchants to demonstrate that they are not storing certain types of sensitive card data.  Service provider levels and PCI DSS validation requirements have likewise been aligned under a global standard and compliance timeline.  Compliance with PCI DSS will help protect businesses from financial and reputational harm that often results from cardholder data compromises.  Visa data security compliance programs have provided compelling incentives for merchants and agents to properly secure cardholder data. 


The new framework establishes the minimum requirements for Visa Inc. regions.  As an independent company and licensee of Visa International for the business operations in European markets, Visa Europe’s PCI DSS framework requires compliance validation and risk mitigation for Level 1 merchants; however the region will be adhering to a different timeline and process for executing compliance validation. 


“Compliance with PCI DSS is vital to ensuring the integrity of the global payments system,” said Eduardo Perez, head of global data security, Visa Inc.  “Aligning compliance programs across the Visa regions is the latest step in our commitment to safeguarding cardholder data.” 


MERCHANT VALIDATION REQUIREMENTS


Alignment of Merchant Levels and PCI DSS Validation Requirements
A comprehensive set of international security requirements for safeguarding cardholder data, PCI DSS was developed by Visa along with the four other founding payment brands of the PCI Security Standards Council.  Compliance is required of all merchants and any entity that stores, processes or transmits cardholder data. 


Validation of compliance is part of that process, with validation requirements varying for merchants based on factors such as transaction volume.  Visa has globally aligned merchant levels and annual PCI DSS validation requirements as follows:

 

































Level / Tier 1


 


Merchant Criteria


 


Validation Requirements


1


 


Merchants processing over 6 million Visa transactions annually (all channels) or


Global merchants identified as Level 1 by any Visa region 2


 


Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”)


Quarterly network scan by Approved Scan Vendor (“ASV”)


Attestation of Compliance Form


2


 


Merchants processing 1 million to 6 million Visa transactions annually (all channels)


 


Annual Self-Assessment Questionnaire (“SAQ”)


Quarterly network scan by ASV


Attestation of Compliance Form


3


 


Merchants processing 20,000 to 1 million Visa e-commerce transactions annually


 


Annual SAQ


Quarterly network scan by ASV


Attestation of Compliance Form


4


 


Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually


 


Annual SAQ recommended


Quarterly network scan by ASV if applicable


Compliance validation requirements set by acquirer


1 – Compromised entities may be escalated at regional discretion
2 – Merchant meeting Level 1 criteria in any Visa country/region that operates in more than one country/region is considered a global Level 1 merchant.  Exception may apply to global merchants if no common infrastructure and if Visa data is not aggregated across borders; in such cases merchant validates according to regional levels.


 

Acquirers are responsible for their merchant customers’ compliance and must provide regular compliance status reports to Visa on their Level 1, 2 and 3 merchants at least twice a year. Compliance validation guidelines for Level 4 merchants will be determined by their respective acquirers


Prohibited Data Storage Deadline for Level 1 and 2 Merchants – September 30, 2009
Visa will require confirmation from acquirers by September 30, 2009 that their Level 1 and 2 merchants do not retain sensitive payment card data such as full magnetic stripe (also known as track data), security codes or PIN data after transaction authorization. 


“Hackers are looking for this type of data because of its use in counterfeiting payment cards, and that is why Visa prohibits its storage,” said Perez. 


After the deadline, Visa will impose appropriate risk controls, up to and including acquirer fines for failure to provide an attestation form to Visa confirming that each of the acquirer’s Level 1 and 2 merchants do not retain prohibited data.  The September 30, 2009 deadline does not supersede any applicable earlier regional deadlines and related enforcement programs previously established. 


PCI DSS Compliance Validation Deadline for Level 1 Merchants – September 30, 2010
Visa will require acquirers to provide an Attestation of Compliance for each of their Level 1 merchants demonstrating that each has validated full PCI DSS compliance by September 30, 2010.  After that date, Visa will impose appropriate risk controls, up to and including acquirer fines for failure to provide an attestation form to Visa confirming that each of its Level 1 merchants has validated full PCI DSS compliance.  The September 30, 2010 deadline does not supersede any applicable earlier regional deadlines and related enforcement programs previously established. 


SERVICE PROVIDER VALIDATION REQUIREMENTS


Alignment of Service Provider Levels and PCI DSS Validation Requirements
Effective February 1, 2009, service providers that store, process or transmit Visa cardholder data on behalf of Visa acquirers, issuers, merchants or other service providers will fall into one of two service provider levels:





























Level


 


All Regions


 


Validation Requirements


 


Result



 


VisaNet processors or any service provider that stores, processes and / or transmits over 300,000 transactions per year


 


Annual ROC by QSA


Quarterly network scan by ASV


Attestation of Compliance Form


 


Included on Visa’s list of compliant Service Providers


 


2


 


Any service provider that stores, processes and / or transmits less than 300,000 transactions per year


 


Annual SAQ


Quarterly network scan by ASV


Attestation of Compliance Form


 


Not included on Visa’s list / Confirmation Letter of Receipt2


 



1 – Eliminates gateway definition from several existing regional programs
2 – May choose to validate as a Level 1 service provider to be included in Visa’s List of Compliant Service Providers


In addition to aligning service provider validation levels globally, Visa will implement a common PCI DSS full compliance validation process for all service providers.  Effective February 1, 2009, Visa will only require submission of an executed Attestation of Compliance Form and the “Executive Summary” section of the service provider’s Report on Compliance (ROC) to demonstrate full PCI DSS compliance as a Level 1 service provider.  Level 2 service providers will submit version D of the Self-Assessment Questionnaire (SAQ).  Issuers and acquirers are responsible for reviewing the accuracy of the SAQ.


A “List of Compliant Service Providers” is available at www.visa.com  to help issuers, acquirers and merchants identify and use PCI DSS compliant service providers. 


“Standardizing compliance requirements better addresses the security risks in our truly global marketplace and is critical to ensuring the future growth of electronic payments worldwide,” Perez concluded.


Summary of Aligned Framework by Date





















Effective Date


 


Globally Aligned Mandate


February 1, 2009


 


Effective date for globally aligned Service Provider level definitions


September 30, 2009


 


Acquirers must attest that Level 1 and 2 merchants do not retain prohibited payment card data subsequent to authorization of a transaction


September 30, 2010


 


PCI DSS compliance validation deadline for Level 1 merchants


About Visa
Visa operates the world’s largest retail electronic payments network providing processing services and payment product platforms. This includes consumer credit, debit, prepaid and commercial payments, which are offered under the Visa, Visa Electron, Interlink and PLUS brands. Visa enjoys unsurpassed acceptance around the world and Visa/PLUS is one of the world’s largest global ATM networks, offering cash access in local currency in more than 170 countries. For more information, visit www.corporate.visa.com.