Summary
The vast majority of merchants, VisaNet processors and third party agents have already validated
Payment Card Industry Data Security Standard (PCI DSS) compliance; however, gaps still exist. To
address these gaps, Visa is introducing an enhanced, globally consistent PCI DSS validation enforcement
plan for the service provider and merchant security programs.
Background
Data security continues to be one of the most important issues facing the payment card industry. Visa
has worked extensively to prevent and mitigate the effects of consumer information compromises,
including implementation of the Visa Cardholder Information Security Program (CISP) and the Account
Information Security (AIS) Program in 1999.
The PCI DSS, launched in 2004, built on this foundation by establishing the first unified security standard
for the payments industry. Since then, Visa has required all entities that store, process or transmit
cardholder data to comply with the PCI DSS. Additionally, Visa clients and merchants are required to
use only PCI DSS-validated service providers (VisaNet processors and third party agents).
Sound security practices help Visa clients, merchants, VisaNet processors and third party agents boost
customer confidence and greatly reduce the risk of adverse financial and reputational consequences
associated with cardholder data compromises. The PCI DSS has proven to be a highly effective
foundation of baseline security standards and a valuable component of a comprehensive security
program. To that end, Visa has implemented a consistent PCI DSS compliance validation framework
across all Visa Inc. markets.
PCI DSS Enforcement Plan
Visa encourages clients to work with their noncompliant or overdue Level 1 and Level 2 merchants and
service providers immediately to obtain either validation documentation or a remediation plan.
Visa clients whose merchants or service providers have not fulfilled their annual PCI DSS compliance
validation requirement or qualified for the Visa Technology Innovation Program (TIP) 1 may be subject
to the following actions, as specified in the Visa Rules:
• PCI DSS noncompliance assessments (ID#: 0008193)
• Implementation of risk reduction measures (ID#s: 0003687 and 0005057)
Noncompliance assessments will begin 1 January 2015 for noncompliant or overdue level 1 and level 2
merchants and service providers without a remediation plan. For merchants, the assessments will apply
to the primary acquirer with the most transactions for the merchant.
Entities with overdue PCI DSS validation or that have never validated PCI DSS compliance must submit a
remediation plan to their Visa clients. Visa clients are responsible for reviewing and accepting the
remediation plan. If the Visa client accepts the remediation plan, it must provide Visa with the Qualified
Security Assessor (QSA) company name (if applicable) and the planned validation date to suspend
assessment. Visa reserves the right to review and reject a remediation plan.
1 TIP eliminates the annual requirement for eligible merchants to validate their compliance with the PCI DSS for any year in which at least
75 percent of the merchant’s Visa transactions originate from EMV chip-enabled terminals, in addition to meeting other qualification
criteria.
Consequences of Noncompliance for Overdue Entities
Days Overdue Consequence
1 - 60
• Entity’s listing on the Visa Global Registry of Service Providers turns yellow.2
• Clients must notify their merchants and agents of their overdue status and obtain
validation documentation or a remediation plan.
61 – 90
• Entity’s listing on the Visa Global Registry of Service Providers turns red.2
91 – 180
• Entity is removed from the Visa Global Registry of Service Providers.2
• Entity must submit a remediation plan to its Visa client(s), including the planned
validation date and QSA company name (if applicable). If the Visa client accepts
the remediation plan, it will share the planned validation date and QSA company
name (if applicable) with Visa in order to suspend noncompliance assessments.
• If a remediation plan was not submitted or the Visa client did not accept the
remediation plan, Visa will assess monthly noncompliance assessments3 to each of
the entity’s Visa clients.
181 – 270
• If a remediation plan was not submitted or the Visa client did not accept the
remediation plan, Visa may escalate monthly noncompliance assessments3 to
each of the entity’s Visa sponsors.
271+
• If a remediation plan was not submitted or the Visa client did not accept the
remediation plan, Visa may escalate monthly noncompliance assessments3 to
each of the entity’s Visa sponsors.
• Visa may impose additional measures including, but not limited to, risk reduction
requirements, disconnection from VisaNet, and agent disqualification.
The following table illustrates the consequences for entities that have never demonstrated PCI DSS
compliance to Visa:
Consequences for Entities That Have Never Demonstrated PCI DSS Compliance
Days Past the
Effective Date
Consequence
0
• Clients must notify their merchants and agents of their overdue status and obtain
validation documentation or a remediation plan.
1 – 30
• Entity must submit a remediation plan to its Visa client(s), including the planned
validation date and QSA company name (if applicable). If the Visa client accepts
the remediation plan, it will share the planned validation date and QSA company
name (if applicable) with Visa in order to suspend noncompliance assessments.
31 – 90
• If a remediation plan was not submitted or the Visa client did not accept the
remediation plan, Visa will assess monthly noncompliance assessments4 to each
of the entity’s Visa clients.
91 – 180
• If a remediation plan was not submitted or the Visa client did not accept the
remediation plan, Visa may escalate monthly noncompliance assessments4 to
each of the entity’s Visa sponsors.
181 +
• If a remediation plan was not submitted or the Visa client did not accept the
remediation plan, Visa may escalate monthly noncompliance assessments4 to
each of the entity’s Visa sponsors.
• Visa may impose additional measures including, but not limited to, risk reduction
requirements, disconnection from VisaNet and agent disqualification
Note: These timelines and non-PCI DSS compliance assessments do not supersede assessments
pursuant to the Visa Rules for PCI DSS noncompliance in the event of a data compromise. Additional
assessments may also apply, such as third party agent non-registration assessments (ID#: 0025901).
Additional Resources
Online Resources
Visit the Visa Risk Management website for your region:
• AP, CEMEA: www.visa.com/staysecureAPCEMEA
• Canada, LAC, U.S.: www.visa.com/third-party-agent and www.visa.com/cisp
Visa Global Registry of Service Providers
Payment Card Industry Data Security Standard
[ http://usa.visa.com/download/merchants/Bulletin-PCIEnforcement-102114.pdf]