Visa's Account Information Security (AIS) program has undergone major changes. This modifies the criteria for classifying traders to report their compliance with the PCI DSS standard. This program defines the applicable requirements based on the number of card transactions processed annually, where level 4 has been excluded. Here we explain the impact and changes generated by this new classification criterion.
As explained in the article "Differences between a PCI SSC standard and a validation programIt is the payment brands, through their validation programs, that define who and how much must demonstrate compliance with PCI DSS security standards. This also applies to PCI DSS standard.
In that case, payment brands classify entities into two groups: merchants and service providers (service providers). Additionally, both merchants and service providers are subdivided into categories according to the total volume of annual transactions that the entity makes with the cards of a particular brand (Visa, MasterCard, Discover, JCB, CUP or AMEX). Depending on the category, different criteria are applied to demonstrate PCI DSS compliance, based on the potential risk of data engagement associated with it.
Changes to the Visa Validation Program
Previously, Visa had two different validation programs depending on the geographic area of applicability: Visa Customer Information Security Program (CISP) for USA and Visa Account Information Security (AIS) for the rest of the world. However, from August 2024 these two programmes were unified, leaving as the only valid programme Account Information Security (AIS).
As a result of this change, Visa introduced a rather subtle but highly impactful modification: the elimination of level 4 for traders. This level was combined with level 3, leaving only three (3) levels valid for establishing compliance requirements. PCI DSS:

Visa Compliance Levels for Merchants
Impact of this change
The objective of this change was to focus risk management on non-face-to-face transactions (card-not-present transactions). Bearing in mind that the levels of risk in face-to-face transactions have decreased thanks to the massification of secure point-of-interaction devices (Point-of-Interaction – POI or ‘dataphones’), the use of EMV chip transactions and the entry of payments with EMV Tokenization, Visa assumes that the greatest PCI DSS compliance effort should be put into e-commerce.
The criterion indicates that if an entity processes less than one (1) million e-commerce transactions, it will fall into this category. This does not imply that if the institution has face-to-face payment channels it is exempted from compliance; on the contrary: the case can be presented of a business that only accepts face-to-face payments and does not accept payments via e-commerce. In that case, e-commerce transactions are zero (0) and count face-to-face transactions. Another case could be that of an entity that processes only e-commerce transactions, but without face-to-face payment. If its transactions do not exceed the threshold of one million per year, it would remain at level 3.
As you can see, with Level 3 being the lowest level of compliance, it automatically becomes the default level at which any trader that does not match the number of Level 1 and 2 transactions is categorized.
What should affected traders do with this change?
Those who must define the level of compliance of a particular trade is its acquirer (i.e.: the entity that receives its transactions from its POS or e-commerce). It is the acquirers who can account for the number of annual transactions processed by the merchant and, based on this, establish their level and their applicable PCI DSS compliance reporting requirements.
Therefore, the recommendation is that all those businesses that were categorized as level 4 contact their acquirers to validate the steps to be followed to adapt to the criteria defined by Visa.
Finally, it is important to clarify that this change only affects transactions made with Visa cards. Transactions with other cards (MasterCard, for example) will not be affected by this change, as each brand has its own compliance programme and its own categorisation criteria.