CARDHOLDER INFORMATION SECURITY PROGRAM
Securing Visa Cardholder Data
When customers offer their bankcard at the point of sale, over the Internet,
on the phone, or through the mail, they want assurance that their account
information is safe. That’s why Visa USA has instituted the Cardholder
Information Security Program (CISP). Mandated since June 2001, the program
is intended to protect Visa cardholder data—wherever it resides—ensuring that
members, merchants, and service providers maintain the highest information
security standard.
How CISP compliance works
CISP compliance is required of all merchants and service providers that
store, process, or transmit Visa cardholder data. The program applies to all
payment channels, including retail (brick-and-mortar), mail/telephone order, and
e-commerce. To achieve compliance with CISP, merchants and service providers
must adhere to the Payment Card Industry (PCI) Data Security Standard, which
offers a single approach to safeguarding sensitive data for all card brands.
This Standard is a result of a collaboration between Visa and MasterCard and is
designed to create common industry security requirements, incorporating the CISP
requirements. Other card companies operating in the U.S. have also endorsed the
PCI Data Security Standard within their respective programs.
Using the PCI Data Security Standard as its framework, CISP provides the
tools and measurements needed to protect against cardholder data exposure and
compromise across the entire payment industry. The
PCI Data Security Standard (PDF, 149k) consists of twelve basic requirements
supported by more detailed sub-requirements:
| PCI Data Security Standard |
| Build and Maintain a Secure Network |
- Install and maintain a firewall configuration to protect data
- Do not use vendor-supplied defaults for system passwords and other
security parameters
|
| Protect Cardholder Data |
- Protect stored data
- Encrypt transmission of cardholder data and sensitive information
across public networks
|
| Maintain a Vulnerability Management Program |
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
|
| Implement Strong Access Control Measures |
- Restrict access to data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
|
| Regularly Monitor and Test Networks |
- Track and monitor all access to network resources and cardholder
data
- Regularly test security systems and processes
|
| Maintain an Information Security Policy |
- Maintain a policy that addresses information security
|
CISP compliance validation
Separate and distinct from the mandate to comply with CISP requirements is
the validation of compliance. It is a fundamental and critical function
that identifies and corrects vulnerabilities, and protects customers by ensuring
that appropriate levels of cardholder information security are maintained. Visa
has prioritized and defined levels of CISP compliance validation based on the
volume of transactions, the potential risk, and exposure introduced into the
Visa system by merchants and service providers.
| For a detailed description of: |
Go to: |
| Visa merchant levels of CISP compliance criteria and validation
actions |
Merchants |
| Service provider CISP compliance criteria and validation actions |
Service Providers |
Why comply?
By complying with CISP requirements, Visa members, merchants, and service
providers not only meet their obligations to the Visa payment system, but also
build a culture of security that benefits everyone.
| Benefits of CISP |
| Everyone |
- Limited risk
- More confidence in the payment industry
|
| Member |
|
| Merchant and Service Provider |
- Competitive edge gained
- Increased revenue and improved bottom line
- Positive image maintained
- Customers are protected
|
| Industry |
- "Good security neighbors" encouraged
|
| Consumer |
- Information is safeguarded
- Identity theft prevention
|
Visa regulations
The Visa USA Operating Regulations govern the activities of member financial
institutions and, by extension, merchants and service providers as participants
in the Visa payment system. The simplified requirements presented here should
help clarify the intent of the more formal regulations.
Member CISP responsibilities
Members are responsible for ensuring the CISP compliance of their merchants,
service providers, and their merchants' service providers. Although there may
not be a direct contractual relationship between merchant service providers and
acquiring members, all members remain responsible for any liability that may
occur as a result of CISP non-compliance. Acquirers must include a CISP
compliance provision in all contracts with merchants and Nonmember agents.
Disclosure of cardholder information
Issuers, acquirers, and merchants may disclose Visa transaction information
only to service providers approved by Visa (i.e., those who support a loyalty
program or provide fraud control services).
To receive Visa approval, a service provider must comply with the CISP
requirements. Additionally, a member that discloses or allows its merchants to
disclose Visa transaction information to a third party that has not demonstrated
CISP compliance will be subject to the program fines and penalties.
CISP compliance penalties
If a merchant or service provider does not comply with the security
requirements or fails to rectify a security issue, Visa may:
- Fine the acquiring member
- Impose restrictions on the merchant or its agent, or
- Permanently prohibit the merchant or its agent from participating in Visa
programs
Members receive protection from fines for merchants or service providers that
have been compromised but found to be CISP-compliant at the time of the security
breach. Members are subject to fines, up to $500,000 per incident, for any
merchant or service provider that is compromised and not CISP-compliant at the
time of the incident.
| 