compliances , security

PCI Carholder Information Security Program

June 11, 2008

Carholder Information Security Program. European Payment Council (EPC).

Securing Visa Cardholder Data

When customers offer their bankcard at the point of sale, over the Internet, on the phone, or through the mail, they want assurance that their account information is safe. That’s why Visa USA has instituted the Cardholder Information Security Program (CISP). Mandated since June 2001, the program is intended to protect Visa cardholder data—wherever it resides—ensuring that members, merchants, and service providers maintain the highest information security standard.
If you are a non-U.S.-based entity, please visit

Visa International Account Information Security (AIS).

On this page

·     How CISP Compliance Works
·     CISP Compliance Validation
·     Why Comply?
·     Visa Regulations
·     Member CISP Responsibilities
·     Disclosure of Cardholder Information
·     CISP Compliance Penalties
·     Loss or Theft of Account Information
·     Learn More
·     For More Information

How CISP Compliance Works

CISP compliance is required of all merchants and service providers that store, process, or transmit Visa cardholder data. The program applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce. To achieve compliance with CISP, merchants and service providers must adhere to the Payment Card Industry (PCI) Data Security Standard, which offers a single approach to safeguarding sensitive data for all card brands. This Standard is a result of a collaboration between Visa and MasterCard and is designed to create common industry security requirements, incorporating the CISP requirements. Other card companies operating in the U.S. have also endorsed the PCI Data Security Standard within their respective programs.

Using the PCI Data Security Standard as its framework, CISP provides the tools and measurements needed to protect against cardholder data exposure and compromise across the entire payment industry.

The PCI Data Security Standard (PDF, 149k) consists of twelve basic requirements supported by more detailed sub-requirements:

PCI Data Security Standard
Build and Maintain a Secure Network
  1. Install and maintain a firewall configuration to protect data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
  1. Protect stored data
  2. Encrypt transmission of cardholder data and sensitive information across public networks
Maintain a Vulnerability Management Program
  1. Use and regularly update anti-virus software
  2. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
  1. Restrict access to data by business need-to-know
  2. Assign a unique ID to each person with computer access
  3. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes
Maintain an Information Security Policy
  1. Maintain a policy that addresses information security

CISP Compliance Validation

Separate and distinct from the mandate to comply with CISP requirements is the validation of compliance. It is a fundamental and critical function that identifies and corrects vulnerabilities, and protects customers by ensuring that appropriate levels of cardholder information security are maintained. Visa has prioritized and defined levels of CISP compliance validation based on the volume of transactions, the potential risk, and exposure introduced into the Visa system by merchants and service providers.

For a detailed description of:
 Go to:
Visa merchant levels of CISP compliance criteria and validation actions Merchants
Service provider CISP compliance criteria and validation actions Service Providers

 

Why Comply?
By complying with CISP requirements, Visa members, merchants, and service providers not only meet their obligations to the Visa payment system, but also build a culture of security that benefits everyone.

Benefits of CISP
Everyone
  • Limited risk
  • More confidence in the payment industry
Member
  • Protected reputation
Merchant and Service Provider
  • Competitive edge gained
  • Increased revenue and improved bottom line
  • Positive image maintained
  • Customers are protected
Industry
  • “Good security neighbors” encouraged
Consumer
  • Information is safeguarded
  • Identity theft prevention

Visa Regulations

The Visa USA Operating Regulations govern the activities of member financial institutions and, by extension, merchants and service providers as participants in the Visa payment system. The simplified requirements presented here should help clarify the intent of the more formal regulations.

Member CISP Responsibilities

Members are responsible for ensuring the CISP compliance of their merchants, service providers, and their merchants’ service providers. Although there may not be a direct contractual relationship between merchant service providers and acquiring members, all members remain responsible for any liability that may occur as a result of CISP non-compliance. Acquirers must include a CISP compliance provision in all contracts with merchants and Nonmember agents.

Disclosure of Cardholder Information

Issuers, acquirers, and merchants may disclose Visa transaction information only to service providers approved by Visa (i.e., those who support a loyalty program or provide fraud control services).

To receive Visa approval, a service provider must comply with the CISP requirements. Additionally, a member that discloses or allows its merchants to disclose Visa transaction information to a third party that has not demonstrated CISP compliance will be subject to the program fines and penalties.

CISP Compliance Penalties

If a merchant or service provider does not comply with the security requirements or fails to rectify a security issue, Visa may:
·     Fine the acquiring member
·     Impose restrictions on the merchant or its agent, or
·     Permanently prohibit the merchant or its agent from participating in Visa programs

Members receive protection from fines for merchants or service providers that have been compromised but found to be CISP-compliant at the time of the security breach. Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not CISP-compliant at the time of the incident.

Loss or Theft of Account Information

A member or the member’s service provider, or a merchant or the merchant’s service provider must immediately report the suspected or confirmed loss or theft of any material or records that contain Visa cardholder data.

If a member knows or suspects a security breach with a merchant or service provider, the member must take immediate action to investigate the incident and limit the exposure of cardholder data.

If a Visa member fails to immediately notify Visa USA Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident.

Additional fines may be levied for exceptional circumstances where the violation presents immediate and substantial risks to Visa and its members.