Account information security program and PCI

Protect cardholder data

Visa’s Account Information Security (AIS) Program is designed to provide a well-aimed defense against account compromises by requiring stakeholders to safeguard cardholder data throughout the payment system and address security deficiencies.

Payment Card Industry Data Security Standard (PCI DSS) Compliance

PCI DSS compliance is required of all entities that store, process or transmit Visa cardholder data – including financial institutions, merchants and service providers. Visa’s programs manage PCI DSS compliance by requiring that participants demonstrate compliance on a regular basis.

The PCI Security Standards Council (SSC) owns, maintains and manages the PCI DSS and all its supporting documents; however, Visa manages all data security compliance enforcement and validation initiatives.

PCI DSS compliance validation for merchants and service providers

Issuers and acquirers are responsible for ensuring that all their service providers, merchants and merchants’ service providers comply with the PCI DSS requirements. It’s the best way to confirm cardholder data is being safely handled and to expose any weaknesses that need to be addressed.

Compliance validation criteria

A merchant’s total Visa transaction volume over a 12-month period determines your merchant level** and the necessary requirements for validation. Acquirers must ensure that their merchants validate at the appropriate level and obtain the required compliance validation documentation from their merchants.

** Merchant level identification is based on the corporate entity’s total volume of Visa transactions (inclusive of credit, debit and prepaid) meeting the transaction thresholds in one country or with one acquirer per year. Volume from independently-owned and operated merchant locations (e.g., franchisee, licensee) may be excluded if it is not processed by the corporate entity.

Technology Innovation Program (TIP)

Merchants that acted to help prevent counterfeit fraud by investing in secure technology can benefit from Visa's TIP. This program rewards eligible merchants by eliminating the requirement to verify compliance with the PCI DSS when at least 75% of yearly transactions originate through EMV chip-enabled terminals, a validated point-to-point encryption solution or integrated industry-standard tokenization solution meeting EMVCo Tokenization Specification.


Regulations and assessments

The Visa Core Rules and Visa Product and Service Rules governs the activities of client financial institutions and, by extension, service providers and merchants as participants in the Visa payment system.

Issuers and acquirers are responsible for ensuring the PCI DSS compliance of its service providers and merchants, including service providers the merchant is using. A service provider and merchant must always maintain full compliance. (VCR section ID #0002228 and #0008031)

If a service provider or merchant does not comply with the PCI DSS or fails to rectify a security issue, Visa may assess a non-compliance assessment to the issuer or acquirer. The issuer or acquirer is responsible for paying all assessments and must not represent that Visa has imposed any assessment on the service provider or merchant. (VCR section ID #0001054)

Assessments may be waived if there is no evidence of PCI DSS non-compliance prior to, and at the time of a data breach, as demonstrated during a forensic investigation.

Global Registry of Service Providers

The Visa Global Registry of Service Providers is the payment industry's designated source for information on registered and compliant agents that provide payment-related services to Visa clients and merchants. Support secure transactions by partnering only with approved service providers.

Third Party Agent Registration Program

Third Party Agents (TPA) who perform solicitation activities (ISO), deploy ATM, point of sale (POS) or kiosk acceptance devices and/or manage encryption keys (ESO), or store, process, transmit, or have access to Visa cardholder data must be registered in the TPA Registration Program before issuers, acquirers and merchants can use their services.

Suspect a data breach?