Securing Cardholder Data
When customers offer their bankcard at the point of sale, over the Internet, on the phone, or through the mail, they want assurance that their account information is safe. That’s why Visa USA has instituted the Cardholder Information Security Program (CISP). Mandated since June 2001, CISP is intended to protect Visa cardholder data–wherever it resides–ensuring that members, merchants, and service providers maintain the highest information security standard.In 2004, the CISP requirements were incorporated into an industry standard known as Payment Card Industry (PCI) Data Security Standard resulting from a collaboration between Visa and MasterCard to create common industry security requirements. Visa USA maintains CISP as the managing program for data security compliance endorsing the PCI Data Security Standard.
If you are a non-U.S.-based entity, please visit Visa International Account Information Security (AIS).
Payment Card Industry (PCI) Data Security Standard
Visa has collaborated with other payment card companies to create a single set of industry requirements, called the Payment Card Industry (PCI) Data Security Standard, for consumer data protection. The PCI Data Security Standard aligns Visa's Account Information Security program, (also known as Cardholder Information Security Program in the U.S.), with MasterCard’s Site Data Protection (SDP) program to create streamlined requirements, compliance criteria and validation processes.This PCI Data Security Standard also addresses the concerns of merchants' and acquirers' (financial institutions that enable merchants to accept Visa cards for payment) about having to meet more than one set of standards to accomplish a single goal.
How CISP Compliance Works
CISP compliance is required of all merchants and service providers that store, process, or transmit Visa cardholder data. The program applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce. Compliance with CISP means compliance with the PCI Data Security Standard with the required program validation. The Payment Card Industry (PCI) Data Security Standard offers a single approach to safeguarding sensitive data for all card brands. Other card companies operating in the U.S. have also endorsed the PCI Data Security Standard within their respective programs.Using the PCI Data Security Standard as its framework, CISP provides the tools and measurements needed to protect against cardholder data exposure and compromise. The PCI Data Security Standard (PDF, 149k) consists of twelve basic requirements and corresponding sub-requirements categorized as follows:
PCI Data Security Standard
- Install and maintain a firewall configuration to protect data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored data
- Encrypt transmission of cardholder data and sensitive information across public networks
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Restrict access to data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
Build and Maintain a Secure Network
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
Compliance Validation
Separate and distinct from the mandate to comply with the PCI Data Security Standard is the validation of compliance whereby entities verify and demonstrate their compliance status. It is a fundamental and critical function that identifies and corrects vulnerabilities, and protects customers by ensuring that appropriate levels of cardholder information security are maintained. Visa has prioritized and defined levels of compliance validation based on the volume of transactions, the potential risk, and exposure introduced into the payment system by merchants and service providers.Benefits of Compliance
- Limited risk
- More confidence in the payment industry
- Protected reputation
- Competitive edge gained
- Increased revenue and improved bottom line
- Positive image maintained
- Customers are protected
- "Good security neighbors" encouraged
- Information is safeguarded
- Identity theft prevention
Everyone
Member
Merchant and Service Provider
Industry
Consumer
Member Responsibilities
Members must comply with CISP and are responsible for ensuring the compliance of their merchants, service providers, and their merchants' service providers. Acquirers must include a CISP compliance provision in all contracts with merchants and Nonmember agents.Some specific compliance requirements and validation criteria are can be found on this website.
CISP Compliance Penalties
If a member, merchant or service provider does not comply with the security requirements or fails to rectify a security issue, Visa may:- Fine the responsible member
- Impose restrictions on the merchant or its agent
Safe Harbor
Safe harbor provides members protection from Visa fines and compliance exposure in the event its merchant or service provider experiences a data compromise. To attain safe harbor status:- A member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation.
- A member must demonstrate that prior to the compromise their merchant had already met the compliance validation requirements, demonstrating full compliance.
- It is important to note that the submission of compliance validation documentation, in and of itself, does not provide the member safe harbor status. The entity must have adhered to all the requirements at the time of the compromise.
