The Merchant Solutions gives our merchants an ease-of-mind when it comes to cardholder security. We are always monitoring merchant accounts for potential risk situations.
When customers offer their bankcard at the point of sale, over the Internet, on the phone, or through the mail, they want assurance that their account information is safe. That’s why Visa USA has instituted the Cardholder Information Security Program (CISP). Mandated since June 2001, CISP is intended to protect Visa cardholder data wherever it resides,ensuring that members, merchants, and service providers maintain the highest information security standard.
In 2004, the CISP requirements were incorporated into an industry standard known as Payment Card Industry (PCI) Data Security Standard resulting from a collaboration between Visa and MasterCard to create common industry security requirements. Visa USA maintains CISP as the managing program for data security compliance endorsing the PCI Data Security Standard.
If you are a non-U.S.-based entity, please visit Visa International Account Information Security (AIS).
The QDSC Program has also transitioned to the PCI SSC. Please refer to the the Assessors page for more information.
CISP compliance is required of all merchants and service providers that store, process, or transmit Visa cardholder data. The program applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce. Compliance with CISP means compliance with the PCI Data Security Standard with the required program validation. The Payment Card Industry (PCI) Data Security Standard offers a single approach to safeguarding sensitive data for all card brands. Other card companies operating in the U.S. have also endorsed the PCI Data Security Standard within their respective programs. Using the PCI Data Security Standard as its framework, CISP provides the tools and measurements needed to protect against cardholder data exposure and compromise. The PCI Data Security Standard consists of twelve basic requirements and corresponding sub-requirements categorized as follows:
Build and maintain a secure network | Install and maintain a firewall configuration to protect data
Do not use vendor-supplied defaults for system passwords and other security parameters |
Protect cardholder data | Protect stored data
Encrypt transmission of cardholder data and sensitive information across public networks |
Maintain a vulnerability management program | Use and regularly update anti-virus software
Develop and maintain secure systems and applications |
Implement strong access control measures | Restrict access to data by business need-to-know
Assign a unique ID to each person with computer access Restrict physical access to cardholder data |
Regularly monitor and test networks | Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes |
Maintain an information security policy | Maintain a policy that addresses information security |
Separate and distinct from the mandate to comply with the PCI Data Security Standard is the validation of compliance whereby entities verify and demonstrate their compliance status. It is a fundamental and critical function that identifies and corrects vulnerabilities, and protects customers by ensuring that appropriate levels of cardholder information security are maintained. Visa has prioritized and defined levels of compliance validation based on the volume of transactions, the potential risk, and exposure introduced into the payment system by merchants and service providers.
By complying with the PCI Data Security Standard, Visa members, merchants, and service providers not only meet their obligations to the payment system, but also build a culture of security that benefits all parties.
Everyone | Limited risk
More confidence in the payment industry |
Member | Protected reputation |
Merchant and Service Provider | Competitive edge gained
Increased revenue and improved bottom line Positive image maintained Customers are protected |
Industry | “Good security neighbors” encouraged
Information is safeguarded |
Consumer | Identity theft prevention |
The Visa USA, Interlink, Inc., and Plus Systems, Inc. Operating Regulations govern the activities of member financial institutions and, by extension, merchants and service providers as participants in the Visa payment system.
Members must comply with CISP and are responsible for ensuring the compliance of their merchants, service providers, and their merchants’ service providers. Acquirers must include a CISP compliance provision in all contracts with merchants and Nonmember agents.
Specific compliance requirements and validation criteria are provided at this website.
If a member, merchant or service provider does not comply with the security requirements or fails to rectify a security issue, Visa may:
A member or the member’s service provider, or a merchant or the merchant’s service provider must immediately report the suspected or confirmed loss or theft of any material or records that contain Visa cardholder data.
If a member knows or suspects a security breach with a merchant or service provider, the member must take immediate action to investigate the incident and limit the exposure of cardholder data.
If a Visa member fails to immediately notify Visa USA Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident.
Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident.
Safe harbor provides members protection from Visa fines and compliance exposure in the event its merchant or service provider experiences a data compromise. To attain safe harbor status: