Cardholder Security Program

Cardholder Security Program

The Merchant Solutions gives our merchants an ease-of-mind when it comes to security. We are always monitoring merchant accounts for potential risk situations.

Cardholder information security program

  • Securing Visa cardholder data
  • How CISP compliance works
  • Compliance validation
  • Why comply?
  • Visa regulations
  • Member responsibilities
  • CISP compliance penalties
  • Loss or theft of account information
  • Safe harbor

Cardholder information security program provided by Visa

Securing Visa cardholder data

When customers offer their bankcard at the point of sale, over the Internet, on the phone, or through the mail, they want assurance that their account information is safe. That’s why Visa USA has instituted the Cardholder Information Security Program (CISP). Mandated since June 2001, CISP is intended to protect Visa cardholder data wherever it resides,ensuring that members, merchants, and service providers maintain the highest information security standard.

In 2004, the CISP requirements were incorporated into an industry standard known as Payment Card Industry (PCI) Data Security Standard resulting from a collaboration between Visa and MasterCard to create common industry security requirements. Visa USA maintains CISP as the managing program for data security compliance endorsing the PCI Data Security Standard.

If you are a non-U.S.-based entity, please visit Visa International Account Information Security (AIS).

The QDSC Program has also transitioned to the PCI SSC. Please refer to the the Assessors page for more information.

How CISP compliance works

CISP compliance is required of all merchants and service providers that store, process, or transmit Visa cardholder data. The program applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce. Compliance with CISP means compliance with the PCI Data Security Standard with the required program validation. The Payment Card Industry (PCI) Data Security Standard offers a single approach to safeguarding sensitive data for all card brands. Other card companies operating in the U.S. have also endorsed the PCI Data Security Standard within their respective programs.

Using the PCI Data Security Standard as its framework, CISP provides the tools and measurements needed to protect against cardholder data exposure and compromise. The PCI Data Security Standard consists of twelve basic requirements and corresponding sub-requirements categorized as follows:

PCI Data Security Standard

  • Build and maintain a secure network
    • Install and maintain a firewall configuration to protect data
    • Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect cardholder data
    • Protect stored data
    • Encrypt transmission of cardholder data and sensitive information across public networks
  • Maintain a vulnerability management program
    • Use and regularly update anti-virus software
    • Develop and maintain secure systems and applications
  • Implement strong access control measures
    • Restrict access to data by business need-to-know
    • Assign a unique ID to each person with computer access
      • Restrict physical access to cardholder data
    • Regularly monitor and test networks
      • Track and monitor all access to network resources and cardholder data
      • Regularly test security systems and processes
    • Maintain an information security policy
      • Maintain a policy that addresses information security

    Compliance validation

    Separate and distinct from the mandate to comply with the PCI Data Security Standard is the validation of compliance whereby entities verify and demonstrate their compliance status. It is a fundamental and critical function that identifies and corrects vulnerabilities, and protects customers by ensuring that appropriate levels of cardholder information security are maintained. Visa has prioritized and defined levels of compliance validation based on the volume of transactions, the potential risk, and exposure introduced into the payment system by merchants and service providers.

    For a detailed description of:

    • Visa merchant levels of compliance criteria and validation actions
    • Service provider compliance criteria and validation actions

    Why comply?

    By complying with the PCI Data Security Standard, Visa members, merchants, and service providers not only meet their obligations to the payment system, but also build a culture of security that benefits all parties.

    Benefits of compliance

    • Everyone
      • Limited risk
      • More confidence in the payment industry
    • Member
      • Protected reputation
    • Merchant and Service Provider
      • Competitive edge gained
      • Increased revenue and improved bottom line
      • Positive image maintained
      • Customers are protected
    • Industry
      • “Good security neighbors” encouraged
      • Information is safeguarded
    • Consumer
      • Identity theft prevention

        Visa regulations

        The Visa USA, Interlink, Inc., and Plus Systems, Inc. Operating Regulations govern the activities of member financial institutions and, by extension, merchants and service providers as participants in the Visa payment system.

        Member responsibilities

        Members must comply with CISP and are responsible for ensuring the compliance of their merchants, service providers, and their merchants’ service providers. Acquirers must include a CISP compliance provision in all contracts with merchants and Nonmember agents.

        Specific compliance requirements and validation criteria are provided at this website.

        CISP compliance penalties

        If a member, merchant or service provider does not comply with the security requirements or fails to rectify a security issue, Visa may:

        • Fine the responsible member
        • Impose restrictions on the merchant or its agent
          • Loss or theft of account information

            A member or the member’s service provider, or a merchant or the merchant’s service provider must immediately report the suspected or confirmed loss or theft of any material or records that contain Visa cardholder data.

            If a member knows or suspects a security breach with a merchant or service provider, the member must take immediate action to investigate the incident and limit the exposure of cardholder data.

            If a Visa member fails to immediately notify Visa USA Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident.

            Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident.

            Safe harbor

            Safe harbor provides members protection from Visa fines and compliance exposure in the event its merchant or service provider experiences a data compromise. To attain safe harbor status:

            • A member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation.
            • A member must demonstrate that prior to the compromise their merchant had already met the compliance validation requirements, demonstrating full compliance.
            • It is important to note that the submission of compliance validation documentation, in and of itself, does not provide the member safe harbor status. The entity must have adhered to all the requirements at the time of the compromise.