PCI COMPLIANCE
Securing Visa Cardholder Data
When customers offer their bankcard at the point of sale, over the Internet, on the phone, or through the mail, they want assurance that their account information is safe. That’s why Visa USA has instituted the Cardholder Information Security Program (CISP). Mandated since June 2001, the program is intended to protect Visa cardholder data—wherever it resides—ensuring that members, merchants, and service providers maintain the highest information security standard.
How CISP compliance works
CISP compliance is required of all merchants and service providers that store, process, or transmit Visa cardholder data. The program applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce. To achieve compliance with CISP, merchants and service providers must adhere to the Payment Card Industry (PCI) Data Security Standard, which offers a single approach to safeguarding sensitive data for all card brands. This Standard is a result of a collaboration between Visa and MasterCard and is designed to create common industry security requirements, incorporating the CISP requirements. Other card companies operating in the U.S. have also endorsed the PCI Data Security Standard within their respective programs.
Using the PCI Data Security Standard as its framework, CISP provides the tools and measurements needed to protect against cardholder data exposure and compromise across the entire payment industry. The PCI Data Security Standard (PDF, 149k) consists of twelve basic requirements supported by more detailed sub-requirements:
|
PCI Data Security Standard
|
|
Build and Maintain a Secure Network
|
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
|
|
Protect Cardholder Data
|
3. Protect stored data
4. Encrypt transmission of cardholder data and sensitive information across public networks
|
|
Maintain a Vulnerability Management Program
|
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
|
|
Implement Strong Access Control Measures
|
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
|
|
Regularly Monitor and Test Networks
|
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
|
|
Maintain an Information Security Policy
|
12. Maintain a policy that addresses information security
|
CISP compliance validation
Separate and distinct from the mandate to comply with CISP requirements is the validation of compliance. It is a fundamental and critical function that identifies and corrects vulnerabilities, and protects customers by ensuring that appropriate levels of cardholder information security are maintained. Visa has prioritized and defined levels of CISP compliance validation based on the volume of transactions, the potential risk, and exposure introduced into the Visa system by merchants and service providers.
|
For a detailed description of:
|
Go to:
|
|
Visa merchant levels of CISP compliance criteria and validation actions
|
Merchants
|
|
Service provider CISP compliance criteria and validation actions
|
Service Providers
|
Back to top
Why comply?
By complying with CISP requirements, Visa members, merchants, and service providers not only meet their obligations to the Visa payment system, but also build a culture of security that benefits everyone.
|
Benefits of CISP
|
|
Everyone
|
- Limited risk
- More confidence in the payment industry
|
|
Member
|
|
|
Merchant and Service Provider
|
- Competitive edge gained
- Increased revenue and improved bottom line
- Positive image maintained
- Customers are protected
|
|
Industry
|
- "Good security neighbors" encouraged
|
|
Consumer
|
- Information is safeguarded
- Identity theft prevention
|
Back to top
Visa regulations
The Visa USA Operating Regulations govern the activities of member financial institutions and, by extension, merchants and service providers as participants in the Visa payment system. The simplified requirements presented here should help clarify the intent of the more formal regulations.
Member CISP responsibilities
Members are responsible for ensuring the CISP compliance of their merchants, service providers, and their merchants' service providers. Although there may not be a direct contractual relationship between merchant service providers and acquiring members, all members remain responsible for any liability that may occur as a result of CISP non-compliance. Acquirers must include a CISP compliance provision in all contracts with merchants and Nonmember agents.
Back to top
Disclosure of cardholder information
Issuers, acquirers, and merchants may disclose Visa transaction information only to service providers approved by Visa (i.e., those who support a loyalty program or provide fraud control services).
To receive Visa approval, a service provider must comply with the CISP requirements. Additionally, a member that discloses or allows its merchants to disclose Visa transaction information to a third party that has not demonstrated CISP compliance will be subject to the program fines and penalties.
CISP compliance penalties
If a merchant or service provider does not comply with the security requirements or fails to rectify a security issue, Visa may:
- Fine the acquiring member
- Impose restrictions on the merchant or its agent, or
- Permanently prohibit the merchant or its agent from participating in Visa programs
Members receive protection from fines for merchants or service providers that have been compromised but found to be CISP-compliant at the time of the security breach. Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not CISP-compliant at the time of the incident.