PCI Compliance Validation Procedures and Documentation
Merchants must validate their compliance by submitting the required documentation to their acquirer. Documentation must be available to Visa upon request. Compliance validation takes place at the merchant's expense, as follows: The Annual On-Site Security Audit must be completed by Level 1 merchants according to the PCI Security Audit Procedures document. This document is also to be used as the template for the Report on Compliance. Although acquirers are responsible for the security of Visa cardholder data wherever it is resident, the scope of CISP compliance validation for Level 1 merchants is focused on any system(s) or system component(s) related to authorization and settlement where Visa cardholder data is retained, stored, or transmitted.
The scope of CISP validation is described in the PCI Security Audit Procedures download. Level 1 merchants should engage a Visa-approved, independent security assessor to complete the Report on Compliance and provide results to their acquirer. Alternatively, acquirers may elect to accept the Report on Compliance from a merchant's internal auditor, provided that a letter signed by an executive-level officer of the merchant accompanies the report.
Download the PCI Security Audit Procedures and Reporting (pcisecuritystandards.org).
The Annual Self-Assessment Questionnaire must be completed by Level 2 and 3 merchants. The PCI Self-Assessment Questionnaire should address any system(s) or system component(s) involved in processing, storing, or transmitting Visa cardholder data. Level 4 merchants are not required, but are strongly encouraged, to complete the Self-Assessment Questionnaire.
Download the PCI Self-Assessment Questionnaire (pcisecuritystandards.org).
The Quarterly Network Security Scan is an automated tool that checks systems for vulnerabilities. It conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the merchant. Level 1, 2, and 3 merchants are responsible for ensuring that a quarterly network scan is performed on their Internet-facing perimeter systems by a qualified independent scan vendor. The Quarterly Network Security Scan is optional, but highly recommended for Level 4 merchants.
Download the PCI Security Scanning Procedures (PDF, 105k, pcisecuritystandards.org).
The ABC’s OF SAQ’s - Which one is for you?
There are different Self-Assessment Questionnaires (SAQ's) for Merchants with varying types of exposure to cardholder data.
SAQ A: Card-not-present (e-commerce or mail/telephone order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
SAQ B: For Merchants who process cardholder data only via imprint machines or standalone, dial-out terminals, with no electronic cardholder data storage.
SAQ C: For merchants with IP terminals, or POS systems connected to the Internet, no electronic cardholder data storage, no networked devices.
SAQ C-VT v2.0: For Merchants who process cardholder data only via isolated virtual terminals on personal computers connected to the Internet.SAQ D v2.0: For SAQ-eligible service providers and for all merchants not meeting the descriptions of SAQ types A through C and all service providers defined by a payment brand as eligible to complete an SAQ
What is an AOC?
Attestation of Compliance (AOC) is a document that Merchants complete for verification that the information on the Self-Assessment Questionnaire is true. The AOC SAQ (A-D) corresponds to the SAQ (A-D)To get The SAQ and AOC click here (pcisecuritystandards.org).
