CISP Compliancy - Merchant Levels

The Payment Card Industry (PCI) Data Security Standard is a result of a collaboration between Visa® and MasterCard to create common industry security requirements. Other card companies operating in the U.S. have also endorsed the Standard within their respective programs. These 12 requirements are the foundation of Visa’s CISP.

PCI Data Security Standard

Build and Maintain a Secure Network

Install and maintain a firewall configuration to protect data
Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Protect stored cardholder data
Encrypt transmission of cardholder data and sensitive information across open public networks

Maintain a Vulnerability Management Program

Use and regularly update anti-virus software
Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Restrict access to data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes

Maintain an Information Security Policy

Maintain a policy that addresses information security

Every piece of cardholder account information that passes through the Visa payment system is vital to our business operation. However, without proper safeguards in place, this information can be extremely vulnerable to internal and external compromise(s), which can often lead to fraud and identity theft. Visa’s Cardholder Information Security Program (CISP) ensures the highest standard of due care to help keep sensitive cardholder data safe from hackers and fraudsters.

About the Program

What

Mandated since June 2001, Visa’s CISP is intended to protect Visa cardholder data—wherever it resides.

Who

All members must comply and ensure the compliance of their merchants and service providers. The program applies to all payment channels, including card present, mail/telephone order, and e-commerce.

How

To achieve CISP compliance, all members, merchants and service providers must adhere to the Payment Card Industry (PCI) Data Security Standard, which offers a single approach to safeguarding sensitive data for all card brands.

Why

By complying with CISP requirements, Visa members, merchants, and service providers not only meet their obligations to the Visa payment system, but also build a culture of security that benefits all parties.

Everyone	Limited risk More confidence in the payment industry
Member	Protected reputation
Merchant & Service Provider	Competitive edge gained Increased revenue and improved bottom line Positive image maintained Customers are protected
Industry	“Good security neighbors” encouraged Information is safeguarded
Consumer	Identity theft prevention

CISP Compliance Validation

Separate and distinct from the mandate to comply with CISP requirements is the validation of compliance. It is a critical function that identifies and corrects vulnerabilities by ensuring appropriate levels of cardholder information security are maintained. Visa has prioritized and defined levels of CISP compliance validation based on the volume of transactions, the potential risk, and exposure introduced into the Visa system by merchants and service providers.

Some merchants and service providers validate compliance through an Annual On-Site Security Audit and Quarterly Network Scan, while others complete an Annual Self-Assessment Questionnaire and the scan. Issuers and acquirers must also identify and review the list of all third-party service providers that they use or that are used by their merchants and ensure they are CISP-compliant.