PCI Validation Procedures for Merchants
Merchants must demonstrate their compliance by submitting the required documentation to their Acquirer. This documentation must be made available to Visa upon request. Compliance validation is performed at the merchant's expense.
Level 1 Merchant:
The Annual PCI Questionnaire and Annual On-Site PCI Data Security Assessment must be completed by Level 1 merchants according to the PCI DSS Security Assessment Procedures and the results provided to the acquirer. The PCI-DSS Security Assessment Procedures are to be used as the template for the Report on Compliance. Although acquirers are responsible for the security of Visa cardholder data wherever it is resident, the scope of AIS compliance validation for Level 1 merchants is focused on any system(s) or system component(s) related to authorization and settlement where Visa cardholder data is stored, processed, or transmitted. The scope of AIS validation is described in the PCI DSS Security Assessment Procedures.
Every other year, Level 1 merchants may choose to use their internal audit department to perform their PCI DSS review, provided:
- There are no major infrastructure changes to their credit card processing environment as well as no change in their compensating controls, if any.
- The Acquirer approves this optionThe very first review (validation of full compliance with the PCI DSS) must be performed by a QSA
- PCI Security Assessment Procedures must be followed and all observations and findings documented within the Audit form.
- The review must be signed-off by a senior officer of the merchant
- The merchant must submit items 4 & 5 to the Acquirer for review.
- PCI Security Scans must be continued with an Approved Scanning Vendor (ASV)
This internal audit option is available to Level 1 merchants only, and does not extend to service providers.
If a merchant chooses not to use its internal audit department, a QSA must perform the validation.
Level 2 and 3 Merchants:
The Annual PCI Questionnaire and PCI Security Scans must be completed by Level 2 and 3 merchants. The Annual PCI Questionnaire must be submitted to a QSA for evaluation with the results then returned to the merchant. The Annual PCI Questionnaire should address any system(s) or system component(s) involved in processing, storing, or transmitting Visa cardholder data.
Level 4 Merchants:
Completion of the Annual PCI Questionnaire and the PCI Security Scans are optional, but highly recommended. Based on Acquires discretion, certain Level 4 merchants may need to validate compliance with the PCI DSS. Although Level 4 merchants are not required to validate compliance at this time, their network must be PCI-DSS compliant.