Designing a secure permissionless distributed ledger that performs on par with centralized payment processors such as Visa is challenging. Most existing distributed ledgers are unable to “scale-out” – growing total processing capacity with number of participants – and those that do compromise security or decentralization. This work presents OmniLedger, the first scale-out distributed ledger that can preserve long-term security under permissionless operation. OmniLedger ensures strong correctness and security by using a bias-resistant public randomness protocol to choose large statistically representative shards to process transactions, and by introducing an efficient cross-shard commit protocol to handle transactions affecting multiple shards atomically. In addition, OmniLedger optimizes performance via scalable intra-shard parallel transaction processing, ledger pruning via collectively-signed state blocks, and optional low-latency “trust-but-verify” validation of low-value transactions. Evaluation of our working experimental prototype shows that OmniLedger’s throughput scales linearly in the number of validators available, supporting Visa-level workloads and beyond, while confirming typical transactions in under two seconds.