The pandemic has affected many business areas and we have seen a few changes in the payment card industry too. Recently we have analyzed the PCI SSC response to the COVID-19 pandemic and changes that they are implementing (read more here).

Last week Visa amended some data security program requirements associated with onsite compliance reviews. The changes apply to:

    • Merchant PCI DSS Compliance Program
    • Third-Party Agent PCI DSS Compliance Program  
    • VisaNet Processor PCI DSS Compliance Program  
    • PIN Security Program  
    • Approved Vendor Program (Card Production, Personalization, and Manufacturing)  

Access Control Server (3D Secure) Vendor Compliance Program.

  • Visa will temporarily discontinue the requirement to complete an onsite data security review effective immediately and ongoing through July 31, 2020.
  • Visa will waive new and existing non-compliance assessments associated with failing to complete on-site data security reviews for the same period.
  • All other Data Security Program requirements remain in place and all organizations that store, transmit or process Visa account data remain responsible for protecting that data following industry security standards and Visa Rules at all times.
  • The waiver of the requirement to complete onsite security reviews during this period does not waive or alter any fees, non-compliance assessments or other liabilities associated with a compromise resulting in the loss of Visa account data that may be applicable.
  • Visa will allow data security compliance assessments to be performed remotely during the waiver period, provided that security assessors can perform their work and can document an organization’s compliance and sign the Attestation of Compliance (AOC) and/or Report of Compliance (ROC).
  • The actual validation deadlines of the individual organizations will continue to be reflected in the Visa Registry. However, the listings will not change colors (yellow and red) if a deadline passes during the extension period (March 2020 through July 2020) and organizations will not be removed from the Registry. Additionally, Visa will temporarily discontinue the use of the overdue validation color designations for other Service Providers as it is unlikely that a revalidation assessment can be completed during this period.
  • After July 31, 2020, clients may submit individual extension or waiver requirements to Visa for review on a case-by-case basis.

It is critical to note that the program adjustment is specific only to the requirement for the completion of onsite compliance reviews. All organizations that store, transmit or process Visa account data remain responsible for protecting that data per industry security standards and Visa Rules at all times.

At Advantio we are ready to assist and complete your assessments remotely. Reach out to your QSA or contact us via the website's contact form to understand the impact on your projects specifically and stay tuned as will be constantly monitoring the situation and informing our clients and business partners.

Oleg Aksyonenko

Written by Oleg Aksyonenko

I am a Managing Consultant at Advantio.

During my 18-year IT career, I have been lucky to work with the United Nations for over three years on a field mission as well as spend ten years focused on project management, information security, capacity planning, disaster recovery and businesses continuity.

In Advantio I apply my well-developed analytical, troubleshooting and problem-solving skills. I also can draw on my background in data processing, network and systems architecture as well as IT security.

My certifications include: CISA, PCI QSA, PA-QSA, QSA (P2PE), PA-QSA (P2PE), 3DS Assessor.