Visa announced global mandates for compliance with the Payment Card Industry Data Security Standard (PCI DSS), creating a consistent framework for compliance among merchants, service providers and their agents.
The enhancements include a global set of requirements for merchants to validate their compliance with PCI DSS; and for the largest merchants, dates by which they must achieve validation. Deadlines are also set for large and mid-level merchants to demonstrate that they are not storing certain types of sensitive card data. Service provider levels and PCI DSS validation requirements have likewise been aligned under a global standard and compliance timeline. Compliance with PCI DSS will help protect businesses from financial and reputational harm that often results from cardholder data compromises. Visa data security compliance programs have provided compelling incentives for merchants and agents to properly secure cardholder data.
The new framework establishes the minimum requirements for Visa regions. As an independent company and licensee of Visa International for the business operations in European markets, Visa Europe’s PCI DSS framework requires compliance validation and risk mitigation for Level 1 merchants; however the region will be adhering to a different timeline and process for executing compliance validation.
Prohibited Data Storage Deadline for Level 1 and 2 Merchants – September 30, 2009
Visa will require confirmation from acquirers by September 30, 2009 that their Level 1 and 2 merchants do not retain sensitive payment card data such as full magnetic stripe (also known as track data), security codes or PIN data after transaction authorization.
After the deadline, Visa will impose appropriate risk controls, up to and including acquirer fines for failure to provide an attestation form to Visa confirming that each of the acquirer’s Level 1 and 2 merchants do not retain prohibited data. The September 30, 2009 deadline does not supersede any applicable earlier regional deadlines and related enforcement programs previously established.
PCI DSS Compliance Validation Deadline for Level 1 Merchants – September 30, 2010
Visa will require acquirers to provide an Attestation of Compliance for each of their Level 1 merchants demonstrating that each has validated full PCI DSS compliance by September 30, 2010. After that date, Visa will impose appropriate risk controls, up to and including acquirer fines for failure to provide an attestation form to Visa confirming that each of its Level 1 merchants has validated full PCI DSS compliance. The September 30, 2010 deadline does not supersede any applicable earlier regional deadlines and related enforcement programs previously established.
In addition to aligning service provider validation levels globally, Visa will implement a common PCI DSS full compliance validation process for all service providers. Effective February 1, 2009, Visa will only require submission of an executed Attestation of Compliance Form and the “Executive Summary” section of the service provider’s Report on Compliance (ROC) to demonstrate full PCI DSS compliance as a Level 1 service provider. Level 2 service providers will submit version D of the Self-Assessment Questionnaire (SAQ). Issuers and acquirers are responsible for reviewing the accuracy of the SAQ.