- 1. Install and maintain a firewall configuration to protect cardholder data
- 2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Data security compliance
Security training
PCI DSS compliance
-
-
- 3. Protect stored cardholder data
- 4. Encrypt transmission of cardholder data across open, public networks
-
- 5. Protect all systems against malware and regularly update anti-virus software or programmes
- 6. Develop and maintain secure systems and applications.
-
- 7. Restrict access to cardholder data by business need-to-know
- 8. Identify and authenticate access to system components
- 9. Restrict physical access to cardholder data
-
- 10. Track and monitor all access to network resources and cardholder data
- 11. Regularly test security systems and processes
-
- 12. Maintain a policy that addresses information security for all personnel
Compliance validation
-
Every year:
- File a Report on Compliance ("ROC") by Qualified Security Assessor ("QSA")” or Internal Auditor if signed by officer of the company. We recommend the internal auditor obtain the PCI SSC Internal Security Assessor ("ISA") certification.
- Submit an Attestation of Compliance ("AOC") Form
Every quarter:
- Conduct a quarterly network scan by an Approved Scan Vendor ("ASV")
-
Every year:
- Complete a Self-Assessment Questionnaire ("SAQ")
- Submit an Attestation of Compliance ("AOC") Form
Every quarter:
- Conduct a quarterly network scan by an Approved Scan Vendor ("ASV")
-
Every year:
- Complete a Self-Assessment Questionnaire ("SAQ")
- Submit an Attestation of Compliance ("AOC") Form
Every quarter:
- Conduct a quarterly network scan by an Approved Scan Vendor ("ASV")
-
Every year:
- Complete a Self-Assessment Questionnaire ("SAQ")
- Submit an Attestation of Compliance ("AOC") Form
Every quarter:
- Conduct a quarterly network scan by an Approved Scan Vendor ("ASV") (if applicable)
- Complete a Self-Assessment Questionnaire ("SAQ")
Technology Innovation Programme
US merchants that have acted to help prevent counterfeit fraud by investing in EMV chip technology or implemented a validated point-to-point encryption solution can benefit from Visa's Technology Innovation Programme (TIP). This programme rewards eligible merchants by eliminating the requirement to verify compliance with the PCI DSS when at least 75 per cent of yearly transactions originate from dual-interface EMV chip-enabled terminals or a validated point-to-point encryption solution.
Regulations + assessments
Visa Core Rules (VCR) governs the activities of client financial institutions and, by extension, merchants and service providers as participants in the Visa payment system.
A merchant's acquiring bank is responsible for ensuring the PCI Data Security Standard (DSS) compliance of the merchant and any service providers the merchant is using. As a merchant, you must maintain full compliance at all times. (VCR section ID #0002228 and #0008031).
If a merchant does not comply with the PCI DSS or fails to rectify a security issue, Visa may assess a non-compliance assessment to the merchant’s acquirer. The acquirer is responsible for paying all assessments and must not represent that Visa has imposed any assessment on the merchant. (VCR section ID #0001054)
Assessments may be waived if there is no evidence of PCI DSS non-compliance prior to, and at the time of a data breach, as demonstrated during a forensic investigation.
Service providers + payment applications

Service providers
Service providers handle Visa cardholder information on your behalf. Your acquirer ensures service providers comply with the PCI DSS. Compliance validation is required for all service providers.
Find a validated service provider
Payment applications
Security programmes

Global PIN Security Programme
Merchants that acquire PIN transactions and/or perform key management services for themselves must comply with the Visa PIN Security requirements.
Use the links below to learn more about Visa’s Global PIN Security Programme:
Skimming Prevention: Best Practices for Merchants
Learn more about joining the Qualified Integrator Reseller (QIR) Programme
The PCI Qualified Integrators & Resellers (QIR)™ training and qualification programme provides training and tools to ensure a secure installation for your merchants‘ PA-DSS validated payment systems. By becoming a QIR, merchants will be able to use your services to meet the requirements outlined by payment brands.
More resources

Find more information on protecting your business
Minimising Payment Risks for Merchants Using Integrators/Resellers (PDF,1.2MB)
Cybercriminals Targeting Point of Sale Integrators (PDF,984KB)
Effectively Managing Data Breaches (PDF, 984KB)
5 Important Visa Rules That Every Merchant Should Know (PDF,587KB)
Identifying and Mitigating Threats to E-commerce Payment Processing (PDF,1.0MB)
Payment Application Security Mandates (PDF, 61K)
You may also be interested in
