PCI DSS Compliance Blog: PCI Compliance Deadlines

« Payment Industry Acronyms | Main | PCI Compliant Hosting »

05/05/2009

PCI Compliance Deadlines

Knowing the critical deadlines for the Payment Card Industry Standards - PCI DSS, PA-DSS, and PCI PED - is vital for any merchant or payment service provider.  But finding all the PCI compliance dates can be tricky: even though the PCI Security Standards Council (PCI SSC) developed these standards, compliance is actually mandated by the individual payment card brands - Visa, Master Card, American Express, Discover and JCB International.

The PCI SSC does not currently maintain a comprehensive list of the PCI compliance deadlines on their site, so we compiled one here for each payment card brand, along with a link to their PCI compliance program section of their sites.  We hope you find this list useful.


Visa CISP (Cardholder Information Security Program)

Merchants

All compliance dates for Visa merchants have passed. Visa's PCI compliance validation requirements for merchants:

Level / Tier
Merchant Criteria

Validation Requirements
1 Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region
  • Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”)
  • Quarterly network scan by Approved Scan Vendor (“ASV”)
  • Attestation of Compliance Form
2 Merchants processing 1 million to 6 million Visa transactions annually (all channels)
  • Annual Self-Assessment Questionnaire (“SAQ”)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
3 Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
4 Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually
  • Annual SAQ recommended
  • Quarterly network scan by ASV if applicable
  • Compliance validation requirements set by acquirer

 

Service Providers

Level*
Validation Action
 Validated By

Due Date

1
  • Annual On-Site PCI Data Security Assessment
  • Quarterly Network Scan
  • Qualified Security Assessor
  • Approved Scanning Vendor
 2/1/2009
2
  • Annual PCI Self-Assessment Questionnaire
  • Quarterly Network Scan
  • Service Provider
  • Approved Scanning Vendor
 2/1/2009

*Visa Service Provider Levels are defined as:
Level 1 - VisaNet processors or any service provider that stores, processes and/or transmits over 300,000 transactions per year
Level 2 - Any service provider that stores, processes and/or transmits less than 300,000 transactions per year

 

Software Applications - US and Canada*

Phase
Compliance Mandate

Effective Date
1 Newly boarded merchants must not use known vulnerable payment applications, and VisaNet Processors (VNPs) and agents must not certify new payment applications to their platforms that are known vulnerable payment applications 1/1/2008
2 VNPs and agents must only certify new payment applications to their platforms that are PA-DSS-compliant 7/1/2008
3 Newly boarded Level 3 and 4 merchants must be PCI DSS compliant or use PA-DSS-compliant applications 10/1/2008
4 VNPs and agents must decertify all vulnerable payment applications 10/1/2009
5 Acquirers must ensure their merchants, VNPs and agents use only PA-DSS compliant applications 7/1/2010

*In Asia Pacific, Central and Eastern Europe, Middle East and Africa, Latin America and the Caribbean (LAC), Visa acquirers must ensure that newly signed merchants use PA-DSS compliant applications by July 1, 2010. By July 1, 2012, those acquirers must ensure existing merchants and agents in the Visa network use PA-DSS compliant applications.

Visa CISP Program Home


Mastercard SDP Program (Site Data Protection)

Merchants

Merchant Definition
Criteria
Onsite Review
Self Assessment
Network Security Scan
Initial Compliance Validation Date
Level 1
  • Any merchant that has suffered a hack or an attack that resulted in an account data compromise
  • Any merchant having greater than six million total combined MasterCard and Maestro transactions annually
  • Any merchant meeting the Level 1 criteria of Visa
  • Any merchant that MasterCard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system
 Required Annually Not Required Required Quarterly 6/30/2011
Level 2
  • Any merchant with greater than one million but less than or equal to six million total combined MasterCard and Maestro transactions annually
  • Any merchant meeting the Level 2 criteria of Visa
 At Merchant Discretion
 Required Annually Required Quarterly 06/30/2011
Level 3
  • Any merchant with greater than 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro ecommerce transactions annually
  • Any merchant meeting the Level 3 criteria of Visa
 Not Required Required Annually Required Quarterly 6/30/2005
Level 4
  • All other merchants
 Not Required Required Annually Required Quarterly Consult Acquirer

 

Service Providers

All compliance dates for Mastercard Service Providers have passed. Required validation procedures by level:

Service Provider Definition
Criteria
Requirement
Level 1
  • All TPPs
  • All DSE’s that store, transmit, or process greater than 1,000,000 total combined MasterCard and Maestro transactions annually    
  • Annual Onsite review performed by a Qualified Security Assessor (QSA)
  •  Quarterly scan by an Approved Scanning Vendor (ASV)     
Level 2
  • Includes all DSE’s that store, transmit, or process less than 1,000,000 total combined MasterCard and Maestro transactions annually 
  • Annual Self-Assessment Questionnaire (SAQ)
  •  Quarterly scan by an Approved Scanning Vendor (ASV)   

Mastercard SDP Program Home


American Express Data Security

American Express requires merchants and service providers agree with their Data Security Operating Policy. American Express compliance dates are based on the date of the validation documentation: 90 days from the date of a scan, an updated scan document is due. One year (365 days) from the date of an Annual Onsite Audit, an updated Annual Onsite Audit is due.

Merchants

Level
Definition
Validation Documentation
Requirement
1 2.5 million American Express Card transactions or more per year; or any merchant that has had a data incident; or any merchant that American Express otherwise deems a Level 1 Annual Onsite Security Audit Report and Quarterly Network Scan Mandatory
2 50,000 to 2.5 million American Express Card transactions per year Quarterly Network Scan Mandatory
3 Less than 50,000 American Express Card transactions per year Quarterly Network Scan Strongly Recommended

 

Service Providers

Compliance Requirements

  • Comply with the PA-DSS and the American Express Data Security Operating Policy
  • Annual Onsite Security Audit Validation Documentation
  • Quarterly Network Scan Validation Documentation

American Express Data Security Home


Discover Information Security & Compliance (DISC)

Merchants

Discover's Merchant Activity Calendar:

Activity
Date
Assessments started prior to 12/31/2008 may use PCI DSS v1.1 or PCI DSS v1.2 12/31/2008
All new assessments must use PCI DSS v1.2 1/1/2009
Last date that PCI DSS v1.1 assessments will be accepted 12/31/2009
All assessments must use PCI DSS v1.2 – PCI DSS v1.1 assessments no longer accepted 1/1/2010

Discover's Merchant Levels and Compliance Requirements:

Level
Description
Compliance Validation Requirements
1
  • All merchants processing a total of more than 6 million Discover Network card transactions per year
  • Any merchant Discover Network, in its sole discretion, determines should meet the Level 1 compliance validation and reporting requirements
  • All merchants required by another payment brand to validate and report their compliance as a Level 1 merchant
  • Complete an annual on-site assessment using the PCI DSS Requirements and Security Assessment Procedures. On-site assessment may be performed by a Qualified Security Assessor OR merchant’s internal auditor
  • Complete Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor
2
  • All merchants processing a total of 1 million to 6 million Discover Network card transactions per year
  • All merchants required by another payment brand to validate and report their compliance as a Level 2 merchant
  • Complete an annual self-assessment using the applicable PCI DSS Self-Assessment Questionnaire ("SAQ")
  • Complete Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor
3
  • All merchants processing a total of 20,000 to 1 million Discover Network card-not-present only transactions per year
  • All merchants required by another payment brand to validate and report their compliance as a Level 3 merchant
  • Complete an annual self-assessment using the applicable PCI DSS SAQ
  • Complete Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor
4
  • All other merchants
  • Validation and Reporting Requirements determined by the merchant's acquirer.
  • Annual self-assessment using the applicable PCI DSS SAQ AND Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor are recommended

 

Service Providers

All service providers that process, store or transmit Discover Network cardholder data are required to report their compliance status to Discover Network on an annual basis. All compliance reports must be submitted by December 31 for the current year.

Assessment
Requirement
On-Site Assessment
  • Service providers that completed an on-site assessment using PCI DSS v1.2 are required to submit Appendix E of the PCI DSS Requirements and Security Assessment Procedures v1.2: Attestation of Compliance - Service Providers, as well as the Executive Summary of the Report on Compliance (ROC).
  • Discover Network requires service providers that are not fully compliant with the PCI DSS to also complete the "Action Plan for Non-Compliant Status" section of the Attestation of Compliance.
Self-Assessment
  • Service providers that perform a self-assessment are required to complete PCI DSS Self-Assessment Questionnaire D and submit the Service Provider Version of the Attestation of Compliance.
  • Discover Network requires service providers that are not fully compliant with the PCI DSS to also complete the "Action Plan for Non-Compliant Status" Section of the Attestation of Compliance.

Discover also strongly recommends that service providers and their agents use payment applications that have been validated as compliant with the PCI Payment Application Data Security Standard (PA-DSS).

DISC Home


JCB International

Contact JCB International directly for PCI compliance deadlines.

Posted at 10:51 AM in MasterCard, PA-DSS, PCI Compliance, PCI DSS, Visa |

Technorati Tags:

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a010534b0dc03970c0115706fccfa970b

Listed below are links to weblogs that reference PCI Compliance Deadlines:

Comments

You need to update the MC SDP table above based on the news today whereby MC will be requiring Tier 2 merchants to undergo on-site assessments by 12/31/2010. http://www.mastercard.com/us/sdp/merchants/merchant_levels.html
http://blogs.verisign.com/securityconvergence/2009/06/news_flash_mastercard_requires.php

Posted by: ianbuxton | 06/17/2009 at 02:01 PM

Spot on, Ian. Thanks for pointing us toward that breaking news and, of course, for reading our blog!

We've edited the table to reflect the new MC Level 2 requirements.

Posted by: ElementPS | 06/18/2009 at 09:29 AM

You may also want to update the Visa CISP Software Applications Table to reflect the new compliance date for PA-DSS Certified Applications for non-US & Canada Regions - http://corporate.visa.com/md/nr/press931.jsp

Posted by: Rafael Rosado | 07/18/2009 at 08:49 AM

Thanks, Rafael. Just made that addition into this post.

Posted by: ElementPS | 07/20/2009 at 04:44 PM

I reccommend you update your reporting reqs for VISA

http://www.visa-asia.com/ap/sea/merchants/riskmgmt/ais_merchants.shtml#Requirements

Acquirers are responsible for ensuring that all their merchants comply with the PCI Data Security Standard (DSS) requirements; however, merchant compliance validation has been prioritized based on the volume of transactions, the potential risk, and exposure introduced into the payment system.

Prohibited Data Storage Deadline for Level 1 and 2 Merchants
By 30 September 2009, acquirers must confirm that their Level 1 and 2 merchants do not retain sensitive authentication data (i.e., full magnetic stripe/track, CVV2 or PIN data) after transaction authorization.
PCI DSS Compliance Validation Deadline for Level 1 merchants
By 30 September 2010, acquirers must attest that each of their Level 1 merchants has validated full PCI DSS compliance.
Level 1, 2 and 3 merchant compliance reporting
To ensure compliance with the AIS program requirements acquirers must report Level 1, 2 and 3 merchant compliance status twice a year (31st of March and 30th of September 2009) as follows:

*
Acquirer reports to include status of each Level 1 merchant
*
Acquirer reports to include status of each Level 2 merchant
*
Statistical reporting metrics for Level 3 merchants

Posted by: THomas Jackson | 10/11/2009 at 08:10 AM

Thanks, Thomas. We appreciate your careful eye and your readership!

Posted by: Element Payment Services | 10/12/2009 at 02:20 PM

i'd really like to see the PCI SSC deadlines here.

the PCI council apparently gives its own deadlines, such as those posted in the new wireless sig requirements / dss 1.2: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1362029,00.html

4.1.1 Ensure wireless networks transmitting
cardholder data or connected to the cardholder
data environment, use industry best practices
(for example, IEEE 802.11i) to implement
strong encryption for authentication and
transmission.

• For new wireless implementations, it
is prohibited to implement WEP after
March 31, 2009.

• For current wireless implementations,
it is prohibited to use WEP after June
30, 2010.

Posted by: jcran | 10/28/2009 at 06:45 AM

Jcran,

Thanks for your comment.

The WEP requirement is embedded within the PCI DSS document.
Other than this specific WEP requirement, we're not aware of any PCI SSC-issue deadlines. The PCI SSC is simply responsible for identifying the compliance requirements, but it is up to the payment brands (e.g. Visa) to be the enforcer of those requirements.

Since all merchants and service providers are already required to be PCI DSS compliant, I’m not aware of any Visa deadlines other than those for Payment Applications and PA-DSS. Every merchant must complete an SAQ at least once a year, which means that any new requirements related to dates and old technology would be outlined in each new version of the PCI DSS, and each merchant/provider must ensure they meet those requirements (which is why existing merchants have until June of 2010 for their current implementations).

Basically, by reporting the deadlines/requirements of the payment brands (like we did in that post), it assumes that for a merchant to be PCI DSS compliant, they had to have already reviewed the most recent PCI DSS version which would have included the details about WEP requirement.

The confusion around this issue is exactly why we wrote this post outlining all the deadlines for each payment brand - because it is the payment brands that enforce what the PCI SSC outlines.

Posted by: Jeff Gross, Element Payment Services | 10/29/2009 at 09:31 AM

Post a comment

Comments are moderated, and will not appear on this weblog until the author has approved them.

If you have a TypeKey or TypePad account, please Sign In