- 1. Install and maintain a firewall configuration to protect cardholder data.
- 2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Data Security Compliance & PCI DSS Merchant Levels
PCI DSS compliance
Everyone storing, processing or transmitting cardholder information is required to follow the Payment Card Industry Data Security Standard (PCI DSS). It consists of 12 basic requirements grouped in 6 categories for establishing and maintaining a reliable and secure payment processing environment. Partner with your acquirer to provide secure transactions for all customers using the PCI DSS. First, review the guidelines, and then check to see that you meet the related requirements.
-
-
- 3. Protect stored cardholder data.
- 4. Encrypt transmission of cardholder data across open, public networks.
-
- 5. Protect all systems against malware and regularly update anti-virus software or programs.
- 6. Develop and maintain secure systems and applications.
-
- 7. Restrict access to cardholder data by business need-to-know.
- 8. Identify and authenticate access to system components.
- 9. Restrict physical access to cardholder data.
-
- 10. Track and monitor all access to network resources and cardholder data.
- 11. Regularly test security systems and processes.
-
- 12. Maintain a policy that addresses information security for all personnel.
Compliance validation
Take the time to see that you’ve met all requirements of the PCI DSS. It’s the best way to confirm cardholder data is being safely handled and to expose any weaknesses that need to be addressed. Your total Visa transaction volume over a 12-month period determines your merchant level** and the necessary requirements for validation.
** Merchant level identification is based on the corporate entity’s total volume of Visa transactions (inclusive of credit, debit and prepaid) meeting the transaction thresholds in one country or with one acquirer per year. Volume from independently-owned and operated merchant locations (e.g., franchisee, licensee) may be excluded if it is not processed by the corporate entity.
-
Every year:
- File a Report on Compliance ("ROC") by Qualified Security Assessor ("QSA")” or Internal Auditor if signed by officer of the company. We recommend the internal auditor obtain the PCI SSC Internal Security Assessor ("ISA") certification.
- Submit an Attestation of Compliance ("AOC") Form.
Every quarter:
- Conduct a quarterly network scan by an Approved Scan Vendor ("ASV").
-
Every year:
- Complete a Self-Assessment Questionnaire ("SAQ").
- Submit an Attestation of Compliance ("AOC") Form.
Every quarter:
- Conduct a quarterly network scan by an Approved Scan Vendor ("ASV").
-
Every year:
- Complete a Self-Assessment Questionnaire ("SAQ").
- Submit an Attestation of Compliance ("AOC") Form.
Every quarter:
- Conduct a quarterly network scan by an Approved Scan Vendor ("ASV").
-
Every year:
- Complete a Self-Assessment Questionnaire ("SAQ").
- Submit an Attestation of Compliance ("AOC") Form.
Every quarter:
- Conduct a quarterly network scan by an Approved Scan Vendor ("ASV") (if applicable).
- Complete a Self-Assessment Questionnaire ("SAQ").
Technology Innovation Program
Invest in secure technology and make compliance easier.
Los comercios de EE. UU. que han tomado medidas para ayudar a prevenir el fraude por falsificación invirtiendo en tecnología de chip EMV o que han implementado una solución de encriptación entre puntos validada pueden gozar de los beneficios del Programa de innovación tecnología (TIP) de Visa. Este programa recompensa a los comercios elegibles mediante la eliminación de requisitos para verificar el cumplimiento de los estándares de seguridad de datos de PCI cuando al menos el 75 por ciento de las transacciones anuales se originan en terminales habilitadas para chip EMV de interfaz doble o en una solución de encriptación entre puntos validada.
Regulations + assessments
Visa Core Rules (VCR) governs the activities of client financial institutions and, by extension, merchants and service providers as participants in the Visa payment system.
A merchant's acquiring bank is responsible for ensuring the PCI Data Security Standard (DSS) compliance of the merchant and any service providers the merchant is using. As a merchant, you must maintain full compliance at all times. (VCR section ID #0002228 and #0008031).
If a merchant does not comply with the PCI DSS or fails to rectify a security issue, Visa may assess a non-compliance assessment to the merchant’s acquirer. The acquirer is responsible for paying all assessments and must not represent that Visa has imposed any assessment on the merchant. (VCR section ID #0001054)
Assessments may be waived if there is no evidence of PCI DSS non-compliance prior to, and at the time of a data breach, as demonstrated during a forensic investigation.
Service providers + payment applications
Support secure transactions by partnering only with approved service providers and payment applications.
Proveedores de servicios
Los proveedores de servicios manejan la información de los tarjetahabientes Visa en representación suya. Tu adquirente garantiza que los proveedores de servicios cumplan con los estándares de seguridad de datos de PCI. La validación de cumplimiento es un requisito para todos los proveedores de servicios.
Payment applications
Use only secure, validated payment applications.
Security programs
Stay up-to-date with the latest security standards.
Programa global de seguridad del PIN
Los comercios que adquieren transacciones con PIN o se prestan a sí mismos servicios de gestión de claves deben cumplir con los requisitos de seguridad del PIN de Visa.
Utiliza el enlace que aparece a continuación para obtener más información sobre el Programa global de seguridad del PIN de Visa:
Obtén más información sobre cómo sumarte al Programa de integradores y revendedores calificados (QIR)
El programa de capacitación y calificación de integradores & y revendedores calificados (QIR)™ de PCI ofrece capacitación y herramientas para garantizar una instalación segura de los sistemas de pago de tu comercio validada según los estándares de seguridad de datos de las aplicaciones de pago. Al convertirse en QIR, los comercios podrán usar tus servicios para cumplir con los requisitos establecidos por las marcas de pago.
More resources
Busca más información sobre cómo proteger tu negocio.
Cybercriminals Targeting Point of Sale Integrators (Ciberdelincuentes que apuntan a los integradores de puntos de venta) (PDF, 984 KB)
Effectively Managing Data Breaches (Cómo gestionar con eficacia vulneraciones de datos) (PDF, 984 KB)
5 Important Visa Rules That Every Merchant Should Know (Cinco normas importantes de Visa que todo comercio debe conocer) (PDF, 587 KB)
Payment Application Security Mandates (Mandatos de seguridad de las aplicaciones de pago) (PDF, 61 K)