Program Updates

As part of a broader effort to mitigate small merchant breaches, Visa Payment System Risk established new data security program requirements for U.S. and Canadian acquirers with an effective date of January 31, 2017.

Learn more
Merchant Resource Library

Library includes documents containing in-depth information designed to help Visa merchants navigate acceptance, fraud, data security, authorization and more. Download, print and keep them on hand at your business.

Learn More
Global Service Provider Registry

The Visa Global Registry of Service Providers is the payment industry's designated source for information on registered and compliant agents that provide payment-related services to Visa clients and merchants.

Learn more
Third Party Agent Program FAQ

Get answers to common questions about the Third Party Agent Registration Program.

Learn more

Data security compliance

From fraud prevention tips to innovative security technologies, we provide powerful resources to help keep your business safe and secure.

Security training

Visa provides valuable information regarding the latest data security trends, data breaches and attack vectors, best practices and Visa compliance programmes through an on-going series of conferences, webinars and training sessions.

PCI DSS compliance

Everyone storing, processing or transmitting cardholder information is required to follow the PCI DSS. It consists of 12 basic requirements grouped in 6 categories for establishing and maintaining a reliable and secure payment processing environment. Partner with your acquirer to provide secure transactions for all customers using the PCI Data Security Standard (DSS). First, review the guidelines and then check to see that you meet the related requirements.

Visit the PCI DSS website for more resources

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters.

3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks

5. Protect all systems against malware and regularly update anti-virus software or programmes
6. Develop and maintain secure systems and applications.

7. Restrict access to cardholder data by business need-to-know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data

10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

12. Maintain a policy that addresses information security for all personnel

Compliance validation

Take the time to see that you’ve met all requirements of the PCI DSS. It’s the best way to confirm cardholder data is being safely handled and to expose any weaknesses that need to be addressed. Your total Visa transaction volume over a 12-month period determines your merchant level and the necessary requirements for validation.

Every year:

File a Report on Compliance ("ROC") by Qualified Security Assessor ("QSA")” or Internal Auditor if signed by officer of the company. We recommend the internal auditor obtain the PCI SSC Internal Security Assessor ("ISA") certification.
Submit an Attestation of Compliance ("AOC") Form

Every quarter:

Conduct a quarterly network scan by an Approved Scan Vendor ("ASV")

Every year:

Complete a Self-Assessment Questionnaire ("SAQ")
Submit an Attestation of Compliance ("AOC") Form

Every quarter:

Conduct a quarterly network scan by an Approved Scan Vendor ("ASV")

Every year:

Complete a Self-Assessment Questionnaire ("SAQ")
Submit an Attestation of Compliance ("AOC") Form

Every quarter:

Conduct a quarterly network scan by an Approved Scan Vendor ("ASV")

Every year:

Complete a Self-Assessment Questionnaire ("SAQ")
Submit an Attestation of Compliance ("AOC") Form

Every quarter:

Conduct a quarterly network scan by an Approved Scan Vendor ("ASV") (if applicable)

Small Merchant Data Security Requirements

Technology Innovation Programme

Invest in secure technology and make compliance easier

US merchants that have acted to help prevent counterfeit fraud by investing in EMV chip technology or implemented a validated point-to-point encryption solution can benefit from Visa's Technology Innovation Programme (TIP). This programme rewards eligible merchants by eliminating the requirement to verify compliance with the PCI DSS when at least 75 per cent of yearly transactions originate from dual-interface EMV chip-enabled terminals or a validated point-to-point encryption solution.

Learn about qualifications

Regulations + assessments

Visa Core Rules (VCR) governs the activities of client financial institutions and, by extension, merchants and service providers as participants in the Visa payment system.

A merchant's acquiring bank is responsible for ensuring the PCI Data Security Standard (DSS) compliance of the merchant and any service providers the merchant is using. As a merchant, you must maintain full compliance at all times. (VCR section ID #0002228 and #0008031).

If a merchant does not comply with the PCI DSS or fails to rectify a security issue, Visa may assess a non-compliance assessment to the merchant’s acquirer. The acquirer is responsible for paying all assessments and must not represent that Visa has imposed any assessment on the merchant. (VCR section ID #0001054)

Assessments may be waived if there is no evidence of PCI DSS non-compliance prior to, and at the time of a data breach, as demonstrated during a forensic investigation.

Suspect you’ve been compromised?

Service providers + payment applications

Support secure transactions by partnering only with approved service providers and payment applications.

Service providers

Service providers handle Visa cardholder information on your behalf. Your acquirer ensures service providers comply with the PCI DSS. Compliance validation is required for all service providers.

Find a validated service provider

Payment applications

Use only secure, validated payment applications.

A woman sitting at a desk, looking pensive while staring at her laptop.

Security programmes

Stay up-to-date with the latest security standards

Presenting a contactless Visa debit card at checkout.

Global PIN Security Programme

Merchants that acquire PIN transactions and/or perform key management services for themselves must comply with the Visa PIN Security requirements.

Use the links below to learn more about Visa’s Global PIN Security Programme:

Learn about PIN security

Skimming Prevention: Best Practices for Merchants

Learn more about joining the Qualified Integrator Reseller (QIR) Programme

The PCI Qualified Integrators & Resellers (QIR)™ training and qualification programme provides training and tools to ensure a secure installation for your merchants‘ PA-DSS validated payment systems. By becoming a QIR, merchants will be able to use your services to meet the requirements outlined by payment brands.

How to join the QIR Programme

Benefits of Trained PCI QIR