Compliance Validation Deadlines
It is critically important that anyone who is required to comply with the PCI Data Security Standard be aware of the compliance validation deadlines. This is not always an easy task, as the payment card brands (Visa, MasterCard, Discover, American Express and JCB International Co., Inc.) each retain their own list of requirements and due dates. Although the PCI Security Standards Council created the security standards, it is up to each payment card brand to enforce the requirements.
Below is a list of each company's validation requirements and compliance deadlines.
Visa Cardholder Information Security Program
Merchants
Currently, all Visa merchants and service providers must be in compliance with the PCI DSS requirements. Validation requirements are determined based on the merchant level:
| Merchant Level |
Validation Requirements |
1 |
- Annual Report of Compliance by a Qualified Security Assessor
- Quarterly network vulnerability scan by an Approved Scanning Vendor
- Attestation of Compliance Form
|
2 |
- Annual Self-Assessment Questionnaire
- Quarterly network vulnerability scan by an Approved Scanning Vendor
- Attestation of Compliance Form
|
3 |
- Annual Self-Assessment Questionnaire
- Quarterly network vulnerability scan by an Approved Scanning Vendor
- Attestation of Compliance Form
|
4 |
- Annual Self-Assessment Questionnaire recommended
- Quarterly network vulnerability scan by an Approved Scanning Vendor (if applicable)
- Compliance validation requirements set by acquirer
|
Service Providers
| Service Provider Level |
Validation Requirements |
Due Date |
| 1 - VisaNet processors or any service provider that stores, processes and/or transmits over 300,000 transactions per year |
- Annual On-Site PCI Data Security Assessment completed by a Qualified Security Assessor
- Quarterly network vulnerability scan by an Approved Scanning Vendor
|
2/1/2009 |
| 2 - Any service provider that stores, processes and/or transmits less than 300,000 transactions per year |
- Annual Self-Assessment Questionnaire
- Quarterly network vulnerability scan by an Approved Scanning Vendor
|
2/1/2009 |
Software Applications
| Phase |
Compliance Mandate |
Effective Date |
1 |
Newly boarded merchants must not use known vulnerable payment applications, and VisaNet Processors (VNPs) and agents must not certify new payment applications to their platforms that are known vulnerable payment applications |
1/1/2008 |
2 |
VNPs and agents must only certify new payment applications to their platforms that are PA-DSS-compliant |
7/1/2008 |
3 |
Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA-DSS-compliant applications |
10/1/2008 |
4 |
VNPs and agents must decertify all vulnerable payment applications |
10/1/2009 |
5 |
Acquirers must ensure their merchants, VNPs and agents use only PA-DSS compliant applications |
7/1/2010 |
MasterCard Site Data Protection Program
Merchants
| Merchant Level |
Validation Requirements |
Validation Date |
1 |
- Annual On-Site PCI Data Security Assessment
- Quarterly network vulnerability scan by an Approved Scanning Vendor
|
6/30/2005 |
2 |
- Annual On-Site PCI Data Security Assessment
- Annual Self-Assessment Questionnaire (until 12/31/2010)
- Quarterly network vulnerability scan by an Approved Scanning Vendor
|
12/31/2010 |
3 |
- Annual Self-Assessment Questionnaire
- Quarterly network vulnerability scan by an Approved Scanning Vendor
|
6/30/2005 |
4 |
- Annual Self-Assessment Questionnaire
- Quarterly network vulnerability scan by an Approved Scanning Vendor
|
Consult Acquirer |
Service Providers
Currently, all MasterCard service providers must be in compliance with the PCI DSS requirements. Validation requirements are determined based on the service provider level:
| Service Provider Level |
Validation Requirements |
| 1 - All TPPs and all DSEs that store, transmit, or process greater than 1,000,000 total combined MasterCard and Maestro transactions annually |
- Annual On-Site PCI Data Security Assessment completed by a Qualified Security Assessor
- Quarterly network vulnerability scan by an Approved Scanning Vendor
|
| 2 - Includes all DSEs that store, transmit, or process less than 1,000,000 total combined MasterCard and Maestro transactions annually |
- Annual Self-Assessment Questionnaire
- Quarterly network vulnerability scan by an Approved Scanning Vendor
|
American Express Data Security Operating Policy
Merchants
| Merchant Level |
Validation Requirement |
| 1 |
- Annual On-Site PCI Data Security Assessment completed by a Qualified Security Assessor - Required
- Quarterly network vulnerability scan by an Approved Scanning Vendor - Required
|
| 2 |
- Quarterly network vulnerability scan by an Approved Scanning Vendor - Required
|
| 3 |
- Quarterly network vulnerability scan by an Approved Scanning Vendor - Strongly recommended
|
Service Providers
| Compliance Requirements |
- Comply with the PA-DSS and the American Express Data Security Operating Policy
- Annual On-Site PCI Data Security Audit validation documentation
- Quarterly network vulnerability scan by an Approved Scanning Vendor
|
Discover Information Security & Compliance Program
Merchants
Merchant Compliance Requirements
| Merchant Level |
Validation Requirements |
1 |
- Complete an annual on-site assessment using the PCI DSS Requirements and Security Assessment Procedures. On-site assessment may be performed by a Qualified Security Assessor OR merchant’s internal auditor
- Quarterly network vulnerability scan by an Approved Scanning Vendor
|
2 |
- Complete an annual self-assessment using the applicable PCI DSS Self-Assessment Questionnaire
- Complete Quarterly network vulnerability scans performed by an Approved Scanning Vendor
|
3 |
- Complete an annual self-assessment using the applicable PCI DSS Self-Assessment Questionnaire
- Complete Quarterly network vulnerability scans performed by an Approved Scanning Vendor
|
4 |
- Validation and Reporting Requirements determined by the merchant's acquirer
- Complete an annual self-assessment using the applicable PCI DSS Self-Assessment Questionnaire
- Quarterly network vulnerability scans performed by an Approved Scanning Vendor - recommended
|
Merchant Activity Calendar
| Activity |
Compliance Date |
| Assessments started prior to 12/31/2008 may use PCI DSS v1.1 or PCI DSS v1.2 |
12/31/2008 |
| All new assessments must use PCI DSS v1.2 |
1/1/2009 |
| Last date that PCI DSS v1.1 assessments will be accepted |
12/31/2009 |
| All assessments must use PCI DSS v1.2 – PCI DSS v1.1 assessments no longer accepted |
1/1/2010 |
Service Providers
| Assessment Type |
Compliance Requirement |
On-Site Assessment |
- Service providers that completed an on-site assessment using PCI DSS v1.2 are required to submit Appendix E of the PCI DSS Requirements and Security Assessment Procedures v1.2: Attestation of Compliance - Service Providers, as well as the Executive Summary of the Report on Compliance (ROC).
- Discover Network requires service providers that are not fully compliant with the PCI DSS to also complete the "Action Plan for Non-Compliant Status" section of the Attestation of Compliance.
|
Self-Assessment |
- Service providers that perform a self-assessment are required to complete PCI DSS Self-Assessment Questionnaire D and submit the Service Provider Version of the Attestation of Compliance.
- Discover Network requires service providers that are not fully compliant with the PCI DSS to also complete the "Action Plan for Non-Compliant Status" Section of the Attestation of Compliance.
|
Compliance reports must be submitted to Discover by December 31 for the current year.
JCB International Co., Inc.
Contact JCB directly for more information on PCI Compliance validation requirements and deadlines.
|
