Security standards that benefit everyone.
Payment Card Industry Data Security Standard (DSS) compliance is required of all entities that store, process or transmit Visa cardholder data, including financial institutions, merchants and service providers. Visa’s programmes manage PCI DSS compliance by requiring that participants demonstrate compliance on a regular basis.
Learn about merchant requirements
Visa’s Cardholder Information Security Programme (CISP) is a compliance programme intended to protect Visa cardholder data by ensuring clients, merchants and service providers maintain the highest information security standard.
The PCI Security Standards Council (SSC) owns, maintains and manages the PCI DSS and all its supporting documents; however, Visa manages all data security compliance enforcement and validation initiatives.
Issuers and acquirers are responsible for ensuring that all of their service providers, merchants and merchants’ service providers comply with the PCI DSS requirements.
Merchant compliance validation has been prioritised based on the volume of transactions, the potential risk and exposure introduced into the payment system.
Learn about the merchant levels
Issuer and acquirers must ensure all their Level 1 and Level 2 service providers demonstrate PCI DSS compliance at the time of Third-Party Agents (TPA) registration and every 12 months thereafter.
Acquirers must ensure that their merchants validate at the appropriate level and obtain the required compliance validation documentation from their merchants. Merchant banks and merchants should also verify the compliance reporting requirements of other payment card brands which may require proof of compliance validation.
Level 1 Service Providers not directly connected to Visa are required to complete the annual on-site PCI data security assessment and submit an executed attestation of compliance (AOC), signed by both the service provider and the qualified security assessor (QSA) to Visa. Level 2 service providers must submit a signed self-assessment questionnaire (SAQ-D) form or an AOC including QSA signature. PCI DSS compliance validation is required before a service provider can be listed on the Visa Global Registry of Service Providers (the Registry).
The Visa Core Rules and Visa Product and Service Rules governs the activities of client financial institutions and, by extension, service providers and merchants as participants in the Visa payment system.
Issuers and acquirers are responsible for ensuring the PCI DSS compliance of its service providers and merchants, including service providers the merchant is using. A service provider and merchant must maintain full compliance at all times. (VCR section ID #0002228 and #0008031)
If a service provider or merchant does not comply with the PCI DSS or fails to rectify a security issue, Visa may assess a non-compliance assessment to the issuer or acquirer. The issuer or acquirer is responsible for paying all assessments and must not represent that Visa has imposed any assessment on the service provider or merchant. (VCR section ID #0001054)
Acquirers can contact Visa Risk at [email protected] for more information.
Visa is simplifying PIN security compliance validation across all regions.
Visa strongly encourages payment application vendors to develop and validate the conformance of their products to the PA–DSS. PA–DSS compliant applications help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data and support overall compliance with the PCI DSS. PA–DSS applies only to third–party payment application software that stores, processes or transmits cardholder data as part of an authorisation or settlement. In–house software applications are covered within a merchant or agent’s PCI DSS assessment.
On 1 January 2008, Visa implemented a series of mandates to eliminate the use of vulnerable payment applications from the Visa payment system. These mandates require acquirers to ensure that their merchants and agents do not use payment applications known to retain sensitive cardholder data (i.e. full magnetic stripe data, CVV2 or PIN data) and require the use of payment applications that are compliant to the PA–DSS.
While many payment application vendors have deployed PA–DSS compliant payment applications, there is growing concern that updates to payment software are not being consistently developed to ensure that known vulnerabilities are not being reintroduced. In addition, there is concern that payment software is not being securely implemented at customer sites.
Merchant and agent compromises reveal that a number of payment application companies have poor software practises when installing payment applications and systems, support customers using weak, shared or default access credentials, and manage customer sites using poorly implemented remote management tools. Criminals can exploit these vulnerable entries and gain access to cardholder environments.
Visa has developed a set of best practices to help payment application companies address critical software processes. As part of their due diligence, acquirers, merchants and agents should ensure that the payment application companies they use have passed the rigour of mature software processes.
Visa Top Ten Best Practices for Payment Application Companies
Visa has identified that certain payment applications are designed by software vendors to store sensitive cardholder data (i.e. full magnetic stripe data, CVV2 or PIN data) subsequent to transaction authorisation. Storage of these cardholder data elements is in direct violation of the PCI DSS and Visa rules. Criminals are targeting merchants and agents that use these vulnerable payment applications and are exploiting these security vulnerabilities to find and steal cardholder data.
Visa will alert key stakeholders, including acquirers to help mitigate compromises, on an as-needed basis with an updated list of vulnerable payment applications. If you discover a vulnerable payment application and have specific information as to the payment application vendor, application version, where sensitive cardholder data is stored and vendor contact information, please notify Visa via email at [email protected]. All information provided will be verified through the software vendor, Visa will not reveal to any software vendor the source of information or disclose information that would reveal the source’s identity.
Visa developed the Payment Application Best Practices (PABP) in 2005 to provide software vendors guidance in developing payment applications that help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data (i.e. full magnetic stripe data, CVV2 or PIN data) and support overall compliance with the PCI DSS. In 2008, the PCI Security Standards Council adopted Visa’s PABP and released the standard as the PA–DSS. The PA–DSS now replaces PABP for the purpose of Visa’s compliance programme.
