CISP Compliance Validation Basics

In addition to adhering to the PCI Data Security Standard, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants.

Level	Validation Action	Validated By	Due Date
1	Annual On-site PCI Data Security Assessment and Quarterly Network Scan	Qualified Security Assessor or Internal Audit if signed by Officer of the company Approved Scanning Vendor	9/30/04 New level 1 merchants have up to one year from identification to validate.
2	Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan	Merchant Approved Scanning Vendor	New level 2 merchants: 9/30/2007
3	Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan	Merchant Approved Scanning Vendor	6/30/05
4	Annual On-site PCI Data Security Assessment and Quarterly Network Scan	Merchant Approved Scanning Vendor	Validation requirements and dates are determined by the merchant's acquirer

*The PCI DDS requires that all merchants perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants.

Validation procedures and documentation

Acquirers must obtain the required compliance validation requirements from their merchants. Documentation must be available to Visa upon request. Acquirers and merchants should also verify the compliance reporting requirements of other payment card brands who may require proof of compliance validation.

Compliance validation takes place at the merchant's expense, as follows:

• The Annual On-Site PCI Data Security Assessment must be completed for Level 1 merchants according to the PCI Security Audit Procedures document. This document is also to be used as the template for the Report on Compliance.
  
  Level 1 merchants should engage a Qualified Security Assessor to complete the Report on Compliance and provide the report to their acquirer. Alternatively, acquirers may elect to accept the Report on Compliance from a level 1 merchant, provided that a letter signed by a merchant officer accompanies the report.
  
  Download the PCI Security Audit Procedures.



• The Annual PCI Self-Assessment Questionnaire must be completed by Level 2 and 3 merchants. Level 4 merchants may be required to complete the PCI Self-Assessment Questionnaire as specified by their acquirer.
  
  Download the PCI Self-Assessment Questionnaire.



• The Quarterly Network Security Scan is an automated tool that checks systems for vulnerabilities. It conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the merchant. Acquirers are responsible for ensuring that the quarterly network security scans required of their levels 1, 2, and 3 merchants are performed by an Approved Scanning Vendor. The Quarterly Network Security Scan may be required of level 4 merchants as specified by their acquirer.
  
  Download the PCI Security Scanning Procedures.

To learn more about the CISP, contact Visa via email at AskVisaUSA@Visa.com and/or download our CISP Frequently Asked Questions (PDF, 147k).

		Compliance Actions	Validation Actions
Group	Level	Comply with PCI Data Security Standards	On-Site Security Audit	Self-Assessment Questionnaire	Network Scan
Merchant	1	Required	Required Annually		Required Quarterly
	2 &3	Required		Required Annually	Required Quarterly
	4	Required		Recommended Annually	Required Quarterly
Service Provider	1	Required	Required Annually		Required Quarterly
	2	Required	Required Annually		Required Quarterly
	3	Required		Required Annually	Required Quarterly