Merchant Levels Defined

Compliance Validation

Acquirers are responsible for ensuring that all of their merchants protect Visa account information.  Compliance with the Account Information Security (AIS) program is mandatory. The program requires the merchants to validate compliance at one of four merchant levels depending on the volume of transactions.

Merchant levels defined

Acquirers are responsible for determining the compliance validation requirement levels of their merchants. All merchants will fall into one of four merchant level categories based on their annual Visa transaction volume. The transaction volume of a merchant is based on the aggregate number of Visa transactions processed by a merchant.  In order to confirm merchant level, please contact your Acquirer.

Merchant levels are defined as:

Merchant Level Description

1

Any merchant (regardless of acceptance channel) processing over 6,000,000 Visa transactions per year.

Any merchant that has suffered a successful unauthorized intrusion that resulted in an account data compromise.

Any merchant that Visa, in its sole discretion, determines should meet the Level 1 Merchant requirements to minimize risk to the Visa system.

Any merchant identified by any other payment card brand as Level 1.

2

Any merchant (regardless of acceptance channel) processing 1,000,000 to 6,000,000 Visa transactions per year.

3

Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.

4

Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants (regardless of acceptance channel) processing up to 1,000,000 Visa transactions per year.


AIS Program compliance validation basics

In addition to adhering to the twelve security requirements and sub-requirements of the Payment Card Industry (PCI) Data Security Standard (DSS), compliance validation is required for Level 1, Level 2, and Level 3 merchants, and strongly recommended for Level 4 merchants.

Merchant Level Validation Action Validated By Enrolled By* Validate By

1

Annual PCI Questionnaire

QSA

9/30/2005

12/31/2005

PCI Security Scans

ASV

On-site Review

QSA

2

Annual PCI Questionnaire

QSA

9/30/2005

12/31/2005

PCI Security Scans

ASV

3

Annual PCI Questionnaire

QSA

9/30/2005

12/31/2005

PCI Security Scans

ASV

4**

Annual PCI Questionnaire

QSA

N/A

N/A

PCI Security Scans

ASV

*Enrolled means that an Annual PCI Questionnaire and PCI Security Scans have been completed by a Qualified Security Assessor (QSA) or an Approved Scanning Vendor (ASV).

**Level 4 merchant also must comply with the PCI Data Security Standard; however, the method of compliance validation for the merchant in this category is determined by the merchant's Acquirer.

Validation procedures and documentation

Merchant must demonstrate their compliance by submitting the required documentation to their Acquirer. This documentation must be made available to Visa upon request. Compliance validation is performed at the merchant's expense.


Level 1 Merchant:
The Annual PCI Questionnaire and Annual On-Site PCI Data Security Assessment must be completed by Level 1 merchants according to the PCI DSS Security Assessment Procedures and the results provided to the acquirer. The PCI-DSS Security Assessment Procedures are to be used as the template for the Report on Compliance.  Although acquirers are responsible for the security of Visa cardholder data wherever it is resident, the scope of AIS compliance validation for Level 1 merchants is focused on any system(s) or system component(s) related to authorization and settlement where Visa cardholder data is stored, processed, or transmitted. The scope of AIS validation is described in the PCI DSS Security Assessment Procedures.

Every other year, Level 1 merchants may choose to use their internal audit department to perform their PCI DSS review, provided:

  1. There are no major infrastructure changes to their credit card processing environment as well as no change in their compensating controls, if any.
  2. The Acquirer approves this option
  3. The very first review (validation of full compliance with the PCI DSS) must be performed by a QSA
  4. PCI Security Assessment Procedures must be followed and all observations and findings documented within the Audit form.
  5. The review must be signed-off by a senior officer of the merchant
  6. The merchant must submit items 4 & 5 to the Acquirer for review.
  7. PCI Security Scans must be continued with an Approved Scanning Vendor (ASV)

This internal audit option is available to Level 1 merchants only, and does not extend to service providers.

If a merchant chooses not to use its internal audit department, a QSA must perform the validation.


Level 2 and 3 Merchants:
The Annual PCI Questionnaire and PCI Security Scans must be completed by Level 2 and 3 merchants.  The Annual PCI Questionnaire must be submitted to a QSA for evaluation with the results then returned to the merchant. The Annual PCI Questionnaire should address any system(s) or system component(s) involved in processing, storing, or transmitting Visa cardholder data.


Level 4 Merchants:
Completion of the Annual PCI Questionnaire and the PCI Security Scans are optional, but highly recommended.  Based on Acquires discretion, certain Level 4 merchants may need to validate compliance with the PCI DSS.  Although Level 4 merchants are not required to validate compliance at this time, their network must be PCI-DSS compliant.

 

back to top