Validation procedures and documentation
Merchants must validate their compliance by submitting the required documentation to their acquirer. Documentation must be available to Visa upon request. Compliance validation takes place at the merchant's expense, as follows: The Annual On-Site Security Audit must be completed by Level 1 merchants according to the PCI Security Audit Procedures document. This document is also to be used as the template for the Report on Compliance. Although acquirers are responsible for the security of Visa cardholder data wherever it is resident, the scope of CISP compliance validation for Level 1 merchants is focused on any system(s) or system component(s) related to authorization and settlement where Visa cardholder data is retained, stored, or transmitted.
The scope of CISP validation is described in the PCI Security Audit Procedures download. Level 1 merchants should engage a Visa-approved, independent security assessor to complete the Report on Compliance and provide results to their acquirer. Alternatively, acquirers may elect to accept the Report on Compliance from a merchant's internal auditor, provided that a letter signed by an executive-level officer of the merchant accompanies the report.
Download the PCI Security Audit Procedures and Reporting (DOC, 627k, pcisecuritystandards.org).
The Annual Self-Assessment Questionnaire must be completed by Level 2 and 3 merchants. The PCI Self-Assessment Questionnaire should address any system(s) or system component(s) involved in processing, storing, or transmitting Visa cardholder data. Level 4 merchants are not required, but are strongly encouraged, to complete the Self-Assessment Questionnaire.
Download the PCI Self-Assessment Questionnaire (DOC, 293k, pcisecuritystandards.org).
The Quarterly Network Security Scan is an automated tool that checks systems for vulnerabilities. It conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the merchant. Level 1, 2, and 3 merchants are responsible for ensuring that a quarterly network scan is performed on their Internet-facing perimeter systems by a qualified independent scan vendor. The Quarterly Network Security Scan is optional, but highly recommended for Level 4 merchants.
Download the PCI Security Scanning Procedures (PDF, 105k, pcisecuritystandards.org).
