TD Merchant Solutions data security

Ensure the safety of your cardholder data to help prevent theft

Staying current with industry standards

Payment Card Industry Data Security Standard (PCI DSS)

The efforts of PCI DSS are designed to help you prevent the theft of confidential consumer cardholder data by assessing whether that data is secure within your organization and, if necessary, improving your level of security to meet or exceed industry standards.

We have included vital information below to help ensure you are informed about data security and provide direction on your role in maintaining cardholder data security.

Upholding the standard

PCI DSS requires any organization that collects, processes, transmits or stores cardholder data, to uphold and maintain the data security standards that are set by the payment industry worldwide, and which are managed by the PCI Security Standards Council (PCI SSC).

All merchants who handle cardholder data must comply with PCI DSS and the Payment Card Networks’ Compliance Programs. Merchants that don't comply may be subject to fines, fees or assessments and/or termination of their processing services.

Visa compliance program

Visa Canada’s Payment Application Compliance Program provides clear direction to acquirers in terms of timelines for ensuring their merchants (both new and existing) who use payment application software to process transactions, only use software that's been validated against PCI DSS requirements.

Learn more about Visa Canada’s Payment Application Compliance Program

More data security information

12 principles of PCI DSS

PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. The result is a comprehensive standard intended to help organizations protect consumer cardholder data.

Below are the twelve principle requirements of PCI DSS.

Build and maintain a secure network

  1. Install and maintain a firewall configuration to protect cardholder data

  2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data

  1. Protect stored cardholder data

  2. Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program

  1. Use and regularly update anti-virus software

  2. Develop and maintain secure systems and applications

Implement strong access control measures

  1. Restrict access to cardholder data by business need-to-know

  2. Assign a unique ID to each person with computer access

  3. Restrict physical access to cardholder data

Regularly monitor and test networks

  1. Track and monitor all access to network resources and cardholder data

  2. Regularly test security systems and processes

Maintain an information security policy

  1. Maintain a policy that addresses information security

To find out more about PCI DSS and view related documentation, visit the PCI Security Standards Council website.

Why data security matters

The more frequently credit and debit cards are used by consumers the more cardholder account information is being processed and potentially kept on file.

The result is the increased potential for fraudulent use of this data if organizations do not take the necessary steps to proactively collect and store this data in a secure manner. The PCI DSS program provides these organizations consistent standards to follow to maintain the integrity of the consumer cardholder data being collected and stored.

Consider the following key benefits to your business that protecting cardholder data can provide.

1. Builds consumer trust

Many customers not only seek out merchants they feel they can trust, but are also likely to return to those businesses and tell others. In a 2006 Visa-sponsored survey that spanned 12 countries, consumers ranked the security of personal and financial information as their number one concern. These consumers also indicated that merchant data security practices can influence their desire to purchase products and services.

Complying with industry standards helps demonstrate your commitment to protect your customers’ confidential payment information. This security is essential to build and maintain consumer trust.

2. Strengthens security

The main goal of PCI DSS is to protect confidential data at all points in the payment system. Complying with the program improves awareness of data security and helps you strengthen security measures to minimize the possibility of data security attacks

3. Avoids unnecessary costs

Implementing a strong data security policy will help you prevent a security breach that could cost your business by damaging your reputation and your bottom line.

Data breaches resulting from weak security practices could make your business vulnerable to costly forensic review, litigation, penalties and an overall drain on your business operations.

By implementing effective data security standards, you can avoid these expenses and protect your business’s good name.

4. Maintains a positive image

Being compliant with PCI DSS goes a long way toward protecting your reputation in the eyes of your customers and the press, given growing public concerns about safeguarding personal data.

5. Gains a competitive edge

A strong data security policy can help you build a reputation for trustworthiness and reliability. When your customers are confident their confidential account information is safe with you, their repeat business will boost your bottom line and give you an advantage over the competition.

Keeping your customer data safe from hackers

Follow these helpful security tips to protect your cardholder's information, as well as your business:

  1. Storage
    Keep cardholder information storage to a minimum and never store the information contained in a credit or debit card’s magnetic stripe.

  2. Accounts
    When you no longer need the account information, destroy it in a secure fashion. Never store the CVV, CVV2 or PIN.

  3. Network
    Ensure that your payment card acceptance environment is properly separated from public networks such as the Internet, and test your company’s security systems on a regular basis.

  1. Passwords
    Change system passwords and security codes from those supplied originally by software manufacturers.

  2. Encryption
    Encrypt all payment card information stored on the processor’s computers, as well as any card data transmitted over the Internet or other open public network.

  3. Access
    Only provide employees with access to customer data on a need-to-know basis, and ensure they each receive a unique ID. You should also have an information security policy that spells out rules for employees who handle customer data.

Making compliance a priority in your business

  • Software
    Review software and update preferences (especially your anti-virus and operating system) to ensure account information is not being stored without your knowledge. Check to see if your software is PA-DSS compliant.
  • Compliance
    Comply with security audits according to the PCI requirements found at the PCI Security Standards Council website,which includes all third-party suppliers with access to cardholder data.

Compliance with the PCI DSS

All merchants that store, process, or transmit cardholder data must comply with PCI DSS and validate their compliance using the appropriate method.

Below are the descriptions of the merchant levels and the validation requirements for each level, as determined by Visa Canada.

Merchant levels and validation requirements

Below you'll find the descriptions and validation requirements for each merchant level, as determined by Visa Canada.


Validation Requirements

Validated By

Merchant Level 1

Any merchant processing over 6,000,000 Visa transactions annually

  • Annual On-site PCI Data Security Assessment
  • Annual PCI Self Assessment Questionnaire
  • Quarterly Network Scan
  • Qualified Security Assessor (QSA)
  • Approved Scanning Vendor (ASV)

Merchant Level 2

Any merchant processing between 1,000,000 and 6,000,000 Visa transactions annually

  • Annual PCI Self Assessment Questionnaire
  • Quarterly Network Scan
  • Qualified Security Assessor (QSA)
  • Approved Scanning Vendor (ASV)

Merchant Level 3

Any merchant processing between 20,000 and 1,000,000 Visa e-commerce transactions annually

  • Annual PCI Self Assessment Questionnaire
  • Quarterly Network Scan
  • Approved Scanning Vendor (ASV)

Merchant Level 4

Any merchant processing fewer than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1,000,000 Visa transactions annually.

  • Annual PCI Self Assessment Questionnaire
  • Quarterly Network Scan

To help you meet your PCI compliance requirements, the PCI Security Standards Council offers resources for small Merchants.


For more information, please visit PCI Security Standards Council website.

Ensure your information is secure and you're PCI-compliant

Service provider compliance

A service provider is defined as an organization that stores, processes, or transmits cardholder data on behalf of a merchant or other service providers. All service providers are required to comply with PCI DSS, including validating their compliance to PCI DSS through the services of a Qualified Security Assessor (QSA).

For more information regarding the compliance requirements for service providers and to see a list of service providers that have validated their compliance to PCI DSS please see:

Visa’s Service Providers Compliance Requirements

Visa’s list of Validated Services Providers

Payment Application Data Security Standard

The Payment Application Data Security Standard (PA-DSS) is managed by the PCI SSC, and is intended to help software vendors develop secure third-party payment applications that support the PCI DSS standard.

All payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. Whereas applications that aren't intended for third parties are not subject to the PA-DSS – but they must still be secured in accordance with the PCI DSS.

Lastly, standalone point-of-sale terminals, database software and web server software are not applicable to the PA-DSS.

For more information on PA-DSS including a list of compliant payment applications, visit the PCI Security Standards Council website.

Get in touch

  • Contact us

    Our TD Merchant Solutions Specialists are ready to answer your questions, Monday-Friday 8:00AM – 8:00PM ET

    1 800-363-1163 1 800-363-1163
  • Have us call you

    Fill in your information to have a TD Merchant Solutions sales specialist contact you.

  • Find a sales executive

    Find a TD Merchant Solutions Regional Sales Executive.

Have a question? Find answers here