Compliance Validation Deadlines
Whether you are a merchant, service provider or anyone else who has to be compliant with the PCI DSS, it is important to declare your compliance by the required validation deadlines. This isn’t always an easy task since the five payment card brands (Visa, MasterCard, Discover, American Express and JCB International Co., Inc.) retain their own individual lists of requirements, and due dates.
Below is a list of each company's validation requirements and compliance deadlines.
Visa Cardholder Information Security Program
Merchants
Currently, all Visa merchants and service providers must be in compliance with the PCI DSS requirements. Validation requirements are determined based on the merchant level: click here to view them. Click here.
| Merchant Level |
Validation Requirements |
| 1 |
- Annual Report of Compliance by a Qualified Security Assessor
- Quarterly network vulnerability scan by an Approved Scanning Vendor
- Attestation of Compliance Form
|
| 2 |
- Annual Self-Assessment Questionnaire
- Quarterly network vulnerability scan by an Approved Scanning Vendor
- Attestation of Compliance Form
|
| 3 |
- Annual Self-Assessment Questionnaire
- Quarterly network vulnerability scan by an Approved Scanning Vendor
- Attestation of Compliance Form
|
| 4 |
- Annual Self-Assessment Questionnaire recommended
- Quarterly network vulnerability scan by an Approved Scanning Vendor (if applicable)
- Compliance validation requirements set by acquirer
|
Service Providers
To view to the Visa compliance deadlines for service providers: Click here.
Service Provider Level |
Validation Requirements |
Due Date |
| 1 - VisaNet processors or any service provider that stores, processes and/or transmits over 300,000 transactions per year |
- Annual On-Site PCI Data Security Assessment completed by a Qualified Security Assessor
- Quarterly network vulnerability scan by an Approved Scanning Vendor
|
2/1/2009 |
2 - Any service provider that stores, processes and/or transmits less than 300,000 transactions per year |
- Annual Self-Assessment Questionnaire
- Quarterly network vulnerability scan by an Approved Scanning Vendor
|
2/1/2009 |
Software Applications
To view to the Visa compliance deadlines for software applications: Click here.
Phase |
Compliance Mandate |
Effective Date |
1 |
Newly boarded merchants must not use known vulnerable payment applications, and VisaNet Processors (VNPs) and agents must not certify new payment applications to their platforms that are known vulnerable payment applications |
1/1/2008 |
2 |
VNPs and agents must only certify new payment applications to their platforms that are PA-DSS-compliant |
7/1/2008 |
3 |
Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA-DSS-compliant applications |
10/1/2008 |
4 |
VNPs and agents must decertify all vulnerable payment applications |
10/1/2009 |
5 |
Acquirers must ensure their merchants, VNPs and agents use only PA-DSS compliant applications |
7/1/2010 |
MasterCard Site Data Protection Program
Merchants
To view to the MasterCard compliance deadlines for merchants:Click here.
Merchant Level |
Validation Requirements |
Validation Date |
1 |
- Annual On-Site PCI Data Security Assessment
- Quarterly network vulnerability scan by an Approved Scanning Vendor
|
6/30/2005 |
2 |
- Annual On-Site PCI Data Security Assessment
- Annual Self-Assessment Questionnaire (until 12/31/2010)
- Quarterly network vulnerability scan by an Approved Scanning Vendor
|
12/31/2010 |
3 |
- Annual Self-Assessment Questionnaire
- Quarterly network vulnerability scan by an Approved Scanning Vendor
|
6/30/2005 |
4 |
- Annual Self-Assessment Questionnaire
- Quarterly network vulnerability scan by an Approved Scanning Vendor
|
Consult Acquirer |
Service Providers
Currently, all MasterCard service providers must be in compliance with the PCI DSS requirements. Validation requirements are determined based on the service provider level: to view them, click here.
Merchant Level |
Validation Requirements |
Validation Date |
1 |
- Annual On-Site PCI Data Security Assessment
- Quarterly network vulnerability scan by an Approved Scanning Vendor
|
6/30/2005 |
2 |
- Annual On-Site PCI Data Security Assessment
- Annual Self-Assessment Questionnaire (until 12/31/2010)
- Quarterly network vulnerability scan by an Approved Scanning Vendor
|
12/31/2010 |
3 |
- Annual Self-Assessment Questionnaire
- Quarterly network vulnerability scan by an Approved Scanning Vendor
|
6/30/2005 |
4 |
- Annual Self-Assessment Questionnaire
- Quarterly network vulnerability scan by an Approved Scanning Vendor
|
Consult Acquirer |
American Express Data Security Operating Policy
Merchants
To view to the American Express compliance deadlines for merchants:click here.
Merchant Level |
Validation Requirement |
1 |
- Annual On-Site PCI Data Security Assessment completed by a Qualified Security Assessor - Required
- Quarterly network vulnerability scan by an Approved Scanning Vendor - Required
|
2 |
- Quarterly network vulnerability scan by an Approved Scanning Vendor - Required
|
3 |
- Quarterly network vulnerability scan by an Approved Scanning Vendor - Strongly recommended
|
Service Providers
To view to the American Express compliance deadlines for service providers:click here.
Compliance Requirements |
- Comply with the PA-DSS and the American Express Data Security Operating Policy
- Annual On-Site PCI Data Security Audit validation documentation
- Quarterly network vulnerability scan by an Approved Scanning Vendor
|
Discover Information Security & Compliance Program
Merchants
Merchant Compliance Requirements
To view to the compliance requirements for merchants: click here.
| Merchant Level |
Validation Requirements |
1 |
- Complete an annual on-site assessment using the PCI DSS Requirements and Security Assessment Procedures. On-site assessment may be performed by a Qualified Security Assessor OR merchant’s internal auditor
- Quarterly network vulnerability scan by an Approved Scanning Vendor
|
2 |
- Complete an annual self-assessment using the applicable PCI DSS Self-Assessment Questionnaire
- Complete Quarterly network vulnerability scans performed by an Approved Scanning Vendor
|
3 |
- Complete an annual self-assessment using the applicable PCI DSS Self-Assessment Questionnaire
- Complete Quarterly network vulnerability scans performed by an Approved Scanning Vendor
|
4 |
- Validation and Reporting Requirements determined by the merchant's acquirer
- Complete an annual self-assessment using the applicable PCI DSS Self-Assessment Questionnaire
- Quarterly network vulnerability scans performed by an Approved Scanning Vendor - recommended
|
Merchant Activity Calendar
To view to the merchant activity calendar:click here.
Activity |
Compliance Date |
Assessments started prior to 12/31/2008 may use PCI DSS v1.1 or PCI DSS v1.2 |
12/31/2008 |
All new assessments must use PCI DSS v1.2 |
1/1/2009 |
Last date that PCI DSS v1.1 assessments will be accepted |
12/31/2009 |
All assessments must use PCI DSS v1.2 – PCI DSS v1.1 assessments no longer accepted |
1/1/2010 |
Service Providers
To view to the compliance requirements for service providers: click here.
Assessment Type |
Compliance Requirement |
On-Site Assessment |
- Service providers that completed an on-site assessment using PCI DSS v1.2 are required to submit Appendix E of the PCI DSS Requirements and Security Assessment Procedures v1.2: Attestation of Compliance - Service Providers, as well as the Executive Summary of the Report on Compliance (ROC).
- Discover Network requires service providers that are not fully compliant with the PCI DSS to also complete the "Action Plan for Non-Compliant Status" section of the Attestation of Compliance.
|
Self-Assessment |
- Service providers that perform a self-assessment are required to complete PCI DSS Self-Assessment Questionnaire D and submit the Service Provider Version of the Attestation of Compliance.
- Discover Network requires service providers that are not fully compliant with the PCI DSS to also complete the "Action Plan for Non-Compliant Status" Section of the Attestation of Compliance.
|
Compliance reports must be submitted to Discover by December 31 for the current year.
JCB International Co., Inc.
Contact JCB directly for more information on PCI Compliance validation requirements and deadlines.
