PCI Validation Procedures for Service Providers

Effective February 1, 2009, Visa will only require submission of an executed Attestation of Compliance Form and the “Executive Summary” section of the service provider’s Report on Compliance (ROC) to demonstrate PCI DSS compliance as a Level 1 service provider. Level 2 service providers will submit version D of the Self-Assessment Questionnaire (SAQ).

All materials must be sent securely via PGP encryption to pcirocs@visa.com. If PGP is not available, please contact Visa at cisp@visa.com to discuss an alternative submission method. Qualified Security Assessors (QSAs) must submit only fully executed Attestation of Compliance forms, properly signed by the QSA and the service provider confirming compliance with the PCI DSS. The ROC Executive Summary must clearly state the scope of the service provider’s PCI DSS assessment. Visa reserves the right to require submission of a service provider’s complete ROC.

The global service provider levels and new PCI DSS compliance validation submission process will go into effect on February 1, 2009. U.S. service providers that validate PCI DSS compliance and submit their required PCI DSS compliance validation documentation to Visa prior to February 1, 2009, will be accepted under previous service provider levels and submission process.

  • The Annual On-Site PCI Data Security Assessment must be completed for Level 1 providers according to the PCI Requirements and Security Assessment Procedures v1.2 document. This document is also to be used as the template for the Report on Compliance.

    Level 1 service providers should engage a Qualified Security Assessor to complete the Report on Compliance.

  • The Attestation of Compliance for Onsite Assessments – Service Providers must be completed by all service providers validating compliance and their assessor and submitted to Visa. The Attestation of Compliance for Onsite Assessments – Service Providers can be found in the PCI Requirements and Security Assessment Procedures v1.2 document.
  • The Quarterly Network Security Scan is an automated tool that checks systems for vulnerabilities. It conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the service provider. Level 1 and 2 service providers are responsible for ensuring that a quarterly network scan is performed on their Internet-facing perimeter systems by an Approved Scanning Vendor.