Cardholder Security Program


The Merchant Solutions gives our merchants an ease-of-mind when it comes to cardholder security. We are always monitoring merchant accounts for potential risk situations.

Cardholder information security program

Securing Visa cardholder data

When customers offer their bankcard at the point of sale, over the Internet, on the phone, or through the mail, they want assurance that their account information is safe. That’s why Visa USA has instituted the Cardholder Information Security Program (CISP). Mandated since June 2001, CISP is intended to protect Visa cardholder data wherever it resides,ensuring that members, merchants, and service providers maintain the highest information security standard.

In 2004, the CISP requirements were incorporated into an industry standard known as Payment Card Industry (PCI) Data Security Standard resulting from a collaboration between Visa and MasterCard to create common industry security requirements. Visa USA maintains CISP as the managing program for data security compliance endorsing the PCI Data Security Standard.

If you are a non-U.S.-based entity, please visit Visa International Account Information Security (AIS).

The QDSC Program has also transitioned to the PCI SSC. Please refer to the the Assessors page for more information.

How CISP compliance works

CISP compliance is required of all merchants and service providers that store, process, or transmit Visa cardholder data. The program applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce. Compliance with CISP means compliance with the PCI Data Security Standard with the required program validation. The Payment Card Industry (PCI) Data Security Standard offers a single approach to safeguarding sensitive data for all card brands. Other card companies operating in the U.S. have also endorsed the PCI Data Security Standard within their respective programs. Using the PCI Data Security Standard as its framework, CISP provides the tools and measurements needed to protect against cardholder data exposure and compromise. The PCI Data Security Standard consists of twelve basic requirements and corresponding sub-requirements categorized as follows:

PCI Data Security Standard
Build and maintain a secure network Install and maintain a firewall configuration to protect data

Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data Protect stored data

Encrypt transmission of cardholder data and sensitive information across public networks

Maintain a vulnerability management program Use and regularly update anti-virus software

Develop and maintain secure systems and applications

Implement strong access control measures Restrict access to data by business need-to-know

Assign a unique ID to each person with computer access Restrict physical access to cardholder data

Regularly monitor and test networks Track and monitor all access to network resources and cardholder data

Regularly test security systems and processes

Maintain an information security policy Maintain a policy that addresses information security

Compliance validation

Separate and distinct from the mandate to comply with the PCI Data Security Standard is the validation of compliance whereby entities verify and demonstrate their compliance status. It is a fundamental and critical function that identifies and corrects vulnerabilities, and protects customers by ensuring that appropriate levels of cardholder information security are maintained. Visa has prioritized and defined levels of compliance validation based on the volume of transactions, the potential risk, and exposure introduced into the payment system by merchants and service providers.

Why comply?

By complying with the PCI Data Security Standard, Visa members, merchants, and service providers not only meet their obligations to the payment system, but also build a culture of security that benefits all parties.

Benefits of compliance
Everyone Limited risk

More confidence in the payment industry

Member Protected reputation
Merchant and Service Provider Competitive edge gained

Increased revenue and improved bottom line

Positive image maintained

Customers are protected

Industry “Good security neighbors” encouraged

Information is safeguarded

Consumer Identity theft prevention

Visa regulations

The Visa USA, Interlink, Inc., and Plus Systems, Inc. Operating Regulations govern the activities of member financial institutions and, by extension, merchants and service providers as participants in the Visa payment system.

Member responsibilities

Members must comply with CISP and are responsible for ensuring the compliance of their merchants, service providers, and their merchants’ service providers. Acquirers must include a CISP compliance provision in all contracts with merchants and Nonmember agents.

Specific compliance requirements and validation criteria are provided at this website.

CISP compliance penalties

If a member, merchant or service provider does not comply with the security requirements or fails to rectify a security issue, Visa may:

  • Fine the responsible member
  • Impose restrictions on the merchant or its agent

Loss or theft of account information

A member or the member’s service provider, or a merchant or the merchant’s service provider must immediately report the suspected or confirmed loss or theft of any material or records that contain Visa cardholder data.

If a member knows or suspects a security breach with a merchant or service provider, the member must take immediate action to investigate the incident and limit the exposure of cardholder data.

If a Visa member fails to immediately notify Visa USA Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident.

Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident.

Safe harbor

Safe harbor provides members protection from Visa fines and compliance exposure in the event its merchant or service provider experiences a data compromise. To attain safe harbor status:

  • A member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation.
  • A member must demonstrate that prior to the compromise their merchant had already met the compliance validation requirements, demonstrating full compliance.
  • It is important to note that the submission of compliance validation documentation, in and of itself, does not provide the member safe harbor status. The entity must have adhered to all the requirements at the time of the compromise.