VISA BULLETIN

21 October 2014

VISA INTRODUCES ENHANCED PCI DSS ENFORCEMENT PLAN

Distribution: Acquirers, Issuers, Processors, Merchants, Agents
Who should read this: Information Security, Compliance, and Risk

Summary
The vast majority of merchants, VisaNet processors and third party agents have already validated
Payment Card Industry Data Security Standard (PCI DSS) compliance; however, gaps still exist. To
address these gaps, Visa is introducing an enhanced, globally consistent PCI DSS validation enforcement
plan for the service provider and merchant security programs.

Background
Data security continues to be one of the most important issues facing the payment card industry. Visa
has worked extensively to prevent and mitigate the effects of consumer information compromises,
including implementation of the Visa Cardholder Information Security Program (CISP) and the Account
Information Security (AIS) Program in 1999.
The PCI DSS, launched in 2004, built on this foundation by establishing the first unified security standard
for the payments industry. Since then, Visa has required all entities that store, process or transmit
cardholder data to comply with the PCI DSS. Additionally, Visa clients and merchants are required to
use only PCI DSS-validated service providers (VisaNet processors and third party agents).
Sound security practices help Visa clients, merchants, VisaNet processors and third party agents boost
customer confidence and greatly reduce the risk of adverse financial and reputational consequences
associated with cardholder data compromises. The PCI DSS has proven to be a highly effective
foundation of baseline security standards and a valuable component of a comprehensive security
program. To that end, Visa has implemented a consistent PCI DSS compliance validation framework
across all Visa Inc. markets.

PCI DSS Enforcement Plan

Visa encourages clients to work with their noncompliant or overdue Level 1 and Level 2 merchants and
service providers immediately to obtain either validation documentation or a remediation plan.
Visa clients whose merchants or service providers have not fulfilled their annual PCI DSS compliance
validation requirement or qualified for the Visa Technology Innovation Program (TIP) 1 may be subject
to the following actions, as specified in the Visa Rules:
Visa Public
1

PCI DSS noncompliance assessments (ID#: 0008193)

Implementation of risk reduction measures (ID#s: 0003687 and 0005057)

Noncompliance assessments will begin 1 January 2015 for noncompliant or overdue level 1 and level 2
merchants and service providers without a remediation plan. For merchants, the assessments will apply
to the primary acquirer with the most transactions for the merchant.
Entities with overdue PCI DSS validation or that have never validated PCI DSS compliance must submit a
remediation plan to their Visa clients. Visa clients are responsible for reviewing and accepting the
remediation plan. If the Visa client accepts the remediation plan, it must provide Visa with the Qualified
Security Assessor (QSA) company name (if applicable) and the planned validation date to suspend
assessment. Visa reserves the right to review and reject a remediation plan.
1

TIP eliminates the annual requirement for eligible merchants to validate their compliance with the PCI DSS for any year in which at least
75 percent of the merchants Visa transactions originate from EMV chip-enabled terminals, in addition to meeting other qualification
criteria.

Consequences of Noncompliance for Overdue Entities

Days Overdue Consequence
1 - 60
Entitys listing on the Visa Global Registry of Service Providers turns yellow. 2
Clients must notify their merchants and agents of their overdue status and obtain
validation documentation or a remediation plan.
61 90
Entitys listing on the Visa Global Registry of Service Providers turns red.2
91 180
Entity is removed from the Visa Global Registry of Service Providers.2
Entity must submit a remediation plan to its Visa client(s), including the planned
validation date and QSA company name (if applicable). If the Visa client accepts
the remediation plan, it will share the planned validation date and QSA company
name (if applicable) with Visa in order to suspend noncompliance assessments.
If a remediation plan was not submitted or the Visa client did not accept the
remediation plan, Visa will assess monthly noncompliance assessments3 to each of
the entitys Visa clients.
181 270
If a remediation plan was not submitted or the Visa client did not accept the
remediation plan, Visa may escalate monthly noncompliance assessments3 to
each of the entitys Visa sponsors.
271+
If a remediation plan was not submitted or the Visa client did not accept the
remediation plan, Visa may escalate monthly noncompliance assessments3 to
each of the entitys Visa sponsors.
Visa may impose additional measures including, but not limited to, risk reduction
requirements, disconnection from VisaNet, and agent disqualification.
2

This is not applicable to merchants or entities validating compliance through Self-Assessment Questionnaire (SAQ) D.

Clients that are subject to noncompliance assessments will receive detailed notifications itemizing the assessment amounts per
merchant or service provider as specified in the Account Information Security (AIS) Program noncompliance assessments table (ID#:
0008193).

Visa Public
2

The following table illustrates the consequences for entities that have never demonstrated PCI DSS
compliance to Visa:
Consequences for Entities That Have Never Demonstrated PCI DSS Compliance
Days Past the
Consequence
Effective Date
0
Clients must notify their merchants and agents of their overdue status and obtain
validation documentation or a remediation plan.
1 30
Entity must submit a remediation plan to its Visa client(s), including the planned
validation date and QSA company name (if applicable). If the Visa client accepts
the remediation plan, it will share the planned validation date and QSA company
name (if applicable) with Visa in order to suspend noncompliance assessments.
31 90
If a remediation plan was not submitted or the Visa client did not accept the
remediation plan, Visa will assess monthly noncompliance assessments4 to each
of the entitys Visa clients.
91 180
If a remediation plan was not submitted or the Visa client did not accept the
remediation plan, Visa may escalate monthly noncompliance assessments4 to
each of the entitys Visa sponsors.
181 +
If a remediation plan was not submitted or the Visa client did not accept the
remediation plan, Visa may escalate monthly noncompliance assessments4 to
each of the entitys Visa sponsors.
Visa may impose additional measures including, but not limited to, risk reduction
requirements, disconnection from VisaNet and agent disqualification.
4

Clients that are subject to noncompliance assessments will receive detailed notifications itemizing the assessment amounts, per
merchant or service provider, as specified in the Account Information Security (AIS) Program noncompliance assessments table (ID#:
0008193).

Note: These timelines and non-PCI DSS compliance assessments do not supersede assessments
pursuant to the Visa Rules for PCI DSS noncompliance in the event of a data compromise. Additional
assessments may also apply, such as third party agent non-registration assessments (ID#: 0025901).
Additional Resources
Online Resources
Visit the Visa Risk Management website for your region:
AP, CEMEA: www.visa.com/staysecureAPCEMEA
Canada, LAC, U.S.: www.visa.com/third-party-agent and www.visa.com/cisp
Visa Global Registry of Service Providers
Payment Card Industry Data Security Standard

Visa Public
3

Enhanced PCI DSS Enforcement Plan FAQ

1) When does the enhanced Payment Card Industry Data Security Standard (PCI DSS) enforcement
plan become effective?
Visa encourages clients to work with their noncompliant or overdue Level 1 and Level 2 merchants
and service providers immediately to either obtain validation documentation or a remediation plan.
Noncompliance assessments will begin 1 January 2015 for noncompliant or overdue Level 1 and
Level 2 merchants and service providers without a remediation plan. For merchants, the
assessments will apply to the primary acquirer with the most transactions for the merchant.
2) Why is Visa communicating these changes now, if the enforcement does not become effective
until January 2015?
Visa is giving stakeholders time to properly review their service providers and merchants
compliance status and engage them (where necessary) to ensure minimal disruption to current
processes and compliance activities.
3) Why did Visa enhance enforcement of its merchant and service provider PCI DSS compliance
programs?
Visa is continually evolving its risk programs to maintain the security of the payment system and
address current threats. The enhanced PCI DSS enforcement plan places a risk-based focus on
noncompliant or overdue merchants and third parties that may introduce increased risks into the
payment system.
4) What entities are in the scope of these changes?
VisaNet processors and third party agents that store, process or transmit cardholder data are
eligible; merchants that do not qualify for the Technology Innovation Program (TIP) are also in
scope. (TIP eliminates the annual requirement for eligible merchants to validate their compliance
with the PCI DSS for any year in which at least 75 percent of the merchants Visa transactions
originate from EMV chip-enabled terminals, in addition to meeting other qualification criteria.
5) What types of agents require PCI DSS compliance?
Any agent that provides managed services and/or stores, processes or transmits Visa cardholder
data must validate PCI DSS compliance at the time of registration and with Visa every 12 months
thereafter. For more information, refer to the Third Party Agent Program webpage (for Canada, LAC
and U.S.) or the Risk Security webpage at http://www.visa.com/staysecureAPCEMEA (for AP and
CEMEA).
6) What is the Visa Global Registry of Service Providers (the Visa Registry)?
The Visa Global Registry of Service Providers is the payment industrys designated source for
information on registered and compliant agents that provide payment-related services to Visa
clients and merchants. Clients and merchants can select registered and validated service providers
on the Global Registry for outsourcing their payment-related services.
7) What entities are listed on the Visa Registry?
Entities include, but are not limited to, payment facilitators, VisaNet processors, high-risk Internet
payment facilitators, independent sales organizations, third party servicers, encryption support
organizations, merchant servicers, access control server providers, dynamic currency conversion
providers, instant card personalization issuance agents and distribution channel vendors.
Visa Public
4

8) What happens if service providers do not validate PCI DSS compliance?

Visa requires service providers that store, process or transmit Visa cardholder data to validate PCI
DSS compliance every 12 months. Service providers that validate PCI DSS compliance through a PCI
SSC Qualified Security Assessor (QSA) and meet program requirements are listed on the Visa
Registry. If Visa does not receive the appropriate revalidation documents, the service providers
listing on the Visa Registry changes as follows:

160 days overdue: The service provider is highlighted in yellow on the Visa Registry
6190 days overdue: The service provider is highlighted in red on the Visa Registry
More than 90 days overdue: The service provider is removed from the Visa Registry

Additionally, Visa clients may be subject to noncompliance assessments and corporate risk
reduction measures for using noncompliant service providers. Visa encourages clients and
merchants to review the Visa Registry to select entities that have met Visa program requirements
and baseline security standards.
9) What notifications is Visa sending to payment system participants about the Enhanced PCI DSS
Enforcement Plan?
All communications pertaining to this plan are being directed to Visa Inc. acquirers, issuers,
processors, merchants and agents. In addition, Visa maintains ongoing communication with QSAs
about data security requirements.
10) What information does Visa need for noncompliant entities?
Entities with overdue PCI DSS validation or that have never validated PCI DSS compliance must
submit a remediation plan to their Visa clients. Visa clients are responsible for reviewing and
accepting the remediation plan. If the Visa client accepts the remediation plan, it must provide Visa
with the QSAs company name (if applicable) and the planned validation date to suspend
noncompliance assessments. Visa reserves the right to review and reject a remediation plan.
Specific remediation plan requirements by entity type are as follows:

For merchants:
o Visa clients must provide Visa with QSA company name (if applicable) and the
planned validation date to suspend noncompliance assessments.

For service providers:

o Entities with overdue validation (1 270 days): Visa clients must provide Visa with
the QSA company name (if applicable) and the planned validation date to suspend
noncompliance assessments.
o Entities with overdue validation (271 + days) and entities who have never validated
PCI DSS compliance: Visa clients must provide Visa with a QSA engagement letter on
the QSAs letterhead which includes the planned validation date to suspend
noncompliance assessments.

Visa reserves the right to review and reject a remediation plan as described above and request a
Prioritized Approach document that lists the sequence of steps or activities that must be performed
in order to achieve PCI DSS compliance. The plan should include projected dates for each milestone
Visa Public
5

and tracking on a monthly basis to ensure all activities are on schedule. Entities may refer to the
Prioritized Approach Tool (Prioritized Approach Tool) for guidance.
11) How does Visa determine overdue and never validated status for service providers?
Overdue entities: Visa requires service providers to demonstrate PCI DSS compliance every 12
months. Each entity has its own validation cycle. An entity becomes overdue the first day after
the 12 month cycle.

Entities that have never validated compliance: These are entities that have not undergone an
initial compliance validation. These entities are, by definition, out of compliance.

Effective 1 January 2015, Visa will impose assessments on clients that use these entities.
12) Will the registering client of a Level 2 service provider also be notified of their overdue
compliance?
All service providers, regardless of level, are in scope of the plan. The same assessments / risk
reduction measures apply for Level 2 service providers.
13) What noncompliance amounts will be assessed if an entity continuously fails to provide the PCI
DSS compliance documentation or a remediation plan?
Noncompliance assessments will be levied according to the table in the Visa Rules (ID#: 0008193).
Before any noncompliance assessments are applied, Visa clients will receive a detailed notification,
including specific amounts being assessed per entity.
14) Are these program changes applicable to Visa Europe?
This program enhancement is applicable to Visa Inc. regions only. As a separate company, Visa
Europe maintains its own rules. Specific compliance validation deadlines and noncompliance
assessments referenced in this guide do not apply to Visa Europe members or their merchants and
service providers.
15) Whom should I contact with questions?
For specific questions, please contact your Visa risk representative at the following email addresses:

VisaNet Processors and Third Party Agents:

o AP, CEMEA: pciagents@visa.com
o Canada, LAC, U.S.: pcirocs@visa.com

Merchants:
o AP, CEMEA: vpssais@visa.com
o Canada, LAC, U.S.: cisp@visa.com

2014 Visa Inc., all rights reserved

Visa Public
6