The Payment Card Industry Data Security Standard (PCI DSS) was established as an industry-wide set of requirements and processes to help ensure that cardholders can make purchases confident in the knowledge that the information on their card will be protected from fraudsters.

The PCI Security Standards Council (PCI SSC) owns, maintains and distributes the PCI DSS and , as well as standards for software security and PIN-entry devices. Visa Europe, however, continues to manage all data security compliance enforcement and validation initiatives for Visa- issued cards within the European market.

PCI DSS compliance

PCI DSS compliance is required of all entities that store, process or transmit Visa cardholder data, including financial institutions, merchants and service providers. The PCI DSS applies to all payment channels, including retail (brick-and-mortar), e-commerce and mail or telephone order. Visa Europe’s compliance programmes manage compliance with the PCI DSS with the required programme validation.

The PCI DSS offers a comprehensive approach to safeguarding sensitive data for all card brands. It consists of 12 basic requirements, categorised as follows:

PCI Data Security Standard

Build and Maintain a Secure Network

1  Install and maintain a firewall  configuration to protect data

2  Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3  Protect stored data

4  Encrypt transmission of cardholder data and sensitive information across public networks

Maintain a Vulnerability Management Program

5  Use and regularly update anti-virus software

6  Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7  Restrict access to data by business need-to-know

8  Assign a unique ID to each person with computer access

9  Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10  Track and monitor all access to network resources and cardholder data

11  Regularly test security systems and processes

Maintain an Information Security Policy

12  Maintain a policy that addresses information security

By complying with the PCI DSS, Visa clients not only meet their obligations to the payment system, but also build a culture of security that benefits everyone.

Visit the PCI Security Standards Council website for more information.

Commitment to compliance with PCI DSS is a statement of intent for the clients and customers that Visa Europe places security at the core of its business. Visa Europe management recognises the importance of sustainable compliance and has implemented a PCI DSS governance model with nominated individuals across the organisation to champion compliance within their business areas. This ensures compliance is an integral aspect of all business operations and change initiatives, and that employees are engaged and committed to protecting information processed for the clients.

The Visa Europe PCI DSS assessment is conducted annually and it received its eighth PCI DSS Attestation of Compliance (AoC) on Saturday 1st September 2018. The assessment covered all Visa Europe services that store, transmit or process Cardholder data and includes Clearing and Settlement, Payment Processing, Data Preparation, Fraud and Chargeback, Payment Gateways, Issuer Processing, Account Management, Merchant Services, Billing Management, Records Management, and Back Office Services. The important milestone of maintaining PCI DSS compliance for a eighth continuous year provides the Board of Directors with assurance that Visa Europe continues to take its security of information seriously

Compliance validation

Separate and distinct from the mandate to comply with the PCI DSS is the need for entities to verify and demonstrate their compliance status. It's a fundamental and critical function that identifies and corrects vulnerabilities and protects customers by ensuring that appropriate levels of cardholder information security are maintained.

Visa Europe has prioritised and defined levels of compliance validation based on the volume of transactions and the potential risk and exposure introduced into the payment system by merchants and service providers.

More information

  • Visit the Merchants page for a detailed description of Visa merchant levels of compliance criteria and validation actions