Knowing the critical deadlines for the Payment Card Industry Standards - PCI DSS, PA-DSS, and PCI PED - is vital for any merchant or payment service provider. But finding all the PCI compliance dates can be tricky: even though the PCI Security Standards Council (PCI SSC) developed these standards, compliance is actually mandated by the individual payment card brands - Visa, Master Card, American Express, Discover and JCB International.
The PCI SSC does not currently maintain a comprehensive list of the PCI compliance deadlines on their site, so we compiled one here for each payment card brand, along with a link to their PCI compliance program section of their sites. We hope you find this list useful.
Visa CISP (Cardholder Information Security Program)
Merchants
All compliance dates for Visa merchants have passed. Visa's PCI compliance validation requirements for merchants:
|
Level / Tier
|
Merchant Criteria
|
Validation Requirements
|
|
1
|
Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region
|
- Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”)
- Quarterly network scan by Approved Scan Vendor (“ASV”)
- Attestation of Compliance Form
|
|
2
|
Merchants processing 1 million to 6 million Visa transactions annually (all channels)
|
- Annual Self-Assessment Questionnaire (“SAQ”)
- Quarterly network scan by ASV
- Attestation of Compliance Form
|
|
3
|
Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
|
- Annual SAQ
- Quarterly network scan by ASV
- Attestation of Compliance Form
|
|
4
|
Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually
|
- Annual SAQ recommended
- Quarterly network scan by ASV if applicable
- Compliance validation requirements set by acquirer
|
Service Providers
|
Level*
|
Validation Action
|
Validated By
|
Due Date
|
|
1
|
- Annual On-Site PCI Data Security Assessment
- Quarterly Network Scan
|
- Qualified Security Assessor
- Approved Scanning Vendor
|
2/1/2009
|
|
2
|
- Annual PCI Self-Assessment Questionnaire
- Quarterly Network Scan
|
- Service Provider
- Approved Scanning Vendor
|
2/1/2009
|
*Visa Service Provider Levels are defined as:
Level 1 - VisaNet processors or any service provider that stores, processes and/or transmits over 300,000 transactions per year
Level 2 - Any service provider that stores, processes and/or transmits less than 300,000 transactions per year
t;span style="font-weight: normal;">
Software Applications - US and Canada*
|
Phase
|
Compliance Mandate
|
Effective Date
|
|
1
|
Newly boarded merchants must not use known vulnerable payment applications, and VisaNet Processors (VNPs) and agents must not certify new payment applications to their platforms that are known vulnerable payment applications
|
1/1/2008
|
|
2
|
VNPs and agents must only certify new payment applications to their platforms that are PA-DSS-compliant
|
7/1/2008
|
|
3
|
Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA-DSS-compliant applications
|
10/1/2008
|
|
4
|
VNPs and agents must decertify all vulnerable payment applications
|
10/1/2009
|
|
5
|
Acquirers must ensure their merchants, VNPs and agents use only PA-DSS compliant applications
|
7/1/2010
|
*In Asia Pacific, Central and Eastern Europe, Middle East and Africa, Latin America and the Caribbean (LAC), Visa acquirers must ensure that newly signed merchants use PA-DSS compliant applications by July 1, 2010. By July 1, 2012, those acquirers must ensure existing merchants and agents in the Visa network use PA-DSS compliant applications.
Visa CISP Program Home
Mastercard SDP Program (Site Data Protection)
Merchants
|
Merchant Definition
|
Criteria
|
Onsite Review
|
Self Assessment
|
Network Security Scan
|
Initial Compliance Validation Date
|
|
Level 1
|
- All merchants, including electronic commerce merchants, with more than 6 million total MasterCard transactions annually
- All merchants that experienced an account compromise
- All merchants meeting the Level 1 criteria of a competing payment brand
- Any merchant that MasterCard, at its sole discretion, determines should meet the Level 1 merchant requirements
|
Required Annually
|
Not Required
|
Required Quarterly
|
6/30/2005
|
|
Level 2
|
- All merchants with more than one million total MasterCard transactions but less than six million total transactions annually
- All merchants meeting the Level 2 criteria of a competing payment brand
|
Required Annually
|
Required Annually
|
Required Quarterly
|
12/31/2008
|
|
Level 3
|
- All merchants with annual MasterCard e-commerce transactions greater than 20,000 but less than one million total transactions
- All merchants meeting the Level 3 criteria of a competing payment brand
|
Not Required
|
Required Annually
|
Required Quarterly
|
6/30/2005
|
|
Level 4
|
|
Not Required
|
Required Annually
|
Required Quarterly
|
Consult Acquirer
|
Service Providers
All compliance dates for Mastercard Service Providers have passed. Required validation procedures by level:
|
Service Provider Definition
|
Criteria
|
Requirement
|
|
Level 1
|
- All TPPs
- All DSE’s that store, transmit, or process greater than 1,000,000 total combined MasterCard and Maestro transactions annually
|
- Annual Onsite review performed by a Qualified Security Assessor (QSA)
- Quarterly scan by an Approved Scanning Vendor (ASV)
|
|
Level 2
|
- Includes all DSE’s that store, transmit, or process less than 1,000,000 total combined MasterCard and Maestro transactions annually
|
- Annual Self-Assessment Questionnaire (SAQ)
- Quarterly scan by an Approved Scanning Vendor (ASV)
|
Mastercard SDP Program Home
American Express Data Security
American Express requires merchants and service providers agree with their Data Security Operating Policy. American Express compliance dates are based on the date of the validation documentation: 90 days from the date of a scan, an updated scan document is due. One year (365 days) from the date of an Annual Onsite Audit, an updated Annual Onsite Audit is due.
Merchants
|
Level
|
Definition
|
Validation Documentation
|
Requirement
|
|
1
|
2.5 million American Express Card transactions or more per year; or any merchant that has had a data incident; or any merchant that American Express otherwise deems a Level 1
|
Annual Onsite Security Audit Report and Quarterly Network Scan
|
Mandatory
|
|
2
|
50,000 to 2.5 million American Express Card transactions per year
|
Quarterly Network Scan
|
Mandatory
|
|
3
|
Less than 50,000 American Express Card transactions per year
|
Quarterly Network Scan
|
Strongly Recommended
|
Service Providers
|
Compliance Requirements
|
- Comply with the PA-DSS and the American Express Data Security Operating Policy
- Annual Onsite Security Audit Validation Documentation
- Quarterly Network Scan Validation Documentation
|
American Express Data Security Home
Discover Information Security & Compliance (DISC)
Merchants
Discover's Merchant Activity Calendar:
|
Activity
|
Date
|
|
Assessments started prior to 12/31/2008 may use PCI DSS v1.1 or PCI DSS v1.2
|
12/31/2008
|
|
All new assessments must use PCI DSS v1.2
|
1/1/2009
|
|
Last date that PCI DSS v1.1 assessments will be accepted
|
12/31/2009
|
|
All assessments must use PCI DSS v1.2 – PCI DSS v1.1 assessments no longer accepted
|
1/1/2010
|
Discover's Merchant Levels and Compliance Requirements:
|
Level
|
Description
|
Compliance Validation Requirements
|
|
1
|
- All merchants processing a total of more than 6 million Discover Network card transactions per year
- Any merchant Discover Network, in its sole discretion, determines should meet the Level 1 compliance validation and reporting requirements
- All merchants required by another payment brand to validate and report their compliance as a Level 1 merchant
|
- Complete an annual on-site assessment using the PCI DSS Requirements and Security Assessment Procedures. On-site assessment may be performed by a Qualified Security Assessor OR merchant’s internal auditor
- Complete Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor
|
|
2
|
- All merchants processing a total of 1 million to 6 million Discover Network card transactions per year
- All merchants required by another payment brand to validate and report their compliance as a Level 2 merchant
|
- Complete an annual self-assessment using the applicable PCI DSS Self-Assessment Questionnaire ("SAQ")
- Complete Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor
|
|
3
|
- All merchants processing a total of 20,000 to 1 million Discover Network card-not-present only transactions per year
- All merchants required by another payment brand to validate and report their compliance as a Level 3 merchant
|
- Complete an annual self-assessment using the applicable PCI DSS SAQ
- Complete Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor
|
|
4
|
|
- Validation and Reporting Requirements determined by the merchant's acquirer.
- Annual self-assessment using the applicable PCI DSS SAQ AND Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor are recommended
|
Service Providers
All service providers that process, store or transmit Discover Network cardholder data are required to report their compliance status to Discover Network on an annual basis. All compliance reports must be submitted by December 31 for the current year.
|
Assessment
|
Requirement
|
|
On-Site Assessment
|
- Service providers that completed an on-site assessment using PCI DSS v1.2 are required to submit Appendix E of the PCI DSS Requirements and Security Assessment Procedures v1.2: Attestation of Compliance - Service Providers, as well as the Executive Summary of the Report on Compliance (ROC).
- Discover Network requires service providers that are not fully compliant with the PCI DSS to also complete the "Action Plan for Non-Compliant Status" section of the Attestation of Compliance.
|
|
Self-Assessment
|
- Service providers that perform a self-assessment are required to complete PCI DSS Self-Assessment Questionnaire D and submit the Service Provider Version of the Attestation of Compliance.
- Discover Network requires service providers that are not fully compliant with the PCI DSS to also complete the "Action Plan for Non-Compliant Status" Section of the Attestation of Compliance.
|
Discover also strongly recommends that service providers and their agents use payment applications that have been validated as compliant with the PCI Payment Application Data Security Standard (PA-DSS).
DISC Home
JCB International
Contact JCB International directly for PCI compliance deadlines.
