When customers offer their bankcard at the point of sale, over the Internet, on the phone, or through the mail, they want assurance that their account information is safe. That's why Visa Inc. instituted the Cardholder Information Security Program (CISP). Mandated since June 2001, CISP is intended to protect Visa cardholder data–wherever it resides–ensuring that members, merchants, and service providers maintain the highest information security standard.
In 2004, the CISP requirements were incorporated into an industry standard known as Payment Card Industry (PCI) Data Security Standard (DSS) resulting from a cooperative effort between Visa and MasterCard to create common industry security requirements. Effective September 7, 2006, the PCI Security Standards Council (SSC) owns, maintains and distributes the PCI DSS and all its supporting documents. Visa, however, continues to manage all data security compliance enforcement and validation initiatives.
On this page
PCI DSS Compliance
PCI DSS compliance is required of all entities that store, process, or transmit Visa cardholder data, including financial institutions, merchants and service providers. The PCI DSS applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and
The PCI DSS offers a single approach to safeguarding sensitive data for all card brands. The PCI DSS consists of twelve basic requirements categorized as follows:
|PCI Data Security Standard|
|Build and Maintain a Secure Network||
|Protect Cardholder Data||
|Maintain a Vulnerability Management Program||
|Implement Strong Access Control Measures||
|Regularly Monitor and Test Networks||
|Maintain an Information Security Policy||
By complying with the PCI DSS, Visa members, merchants, and service providers not only meet their obligations to the payment system, but also build a culture of security that benefits everyone.
Separate and distinct from the mandate to comply with the PCI DSS is the validation of compliance whereby entities verify and demonstrate their compliance status. It is a fundamental and critical function that identifies and corrects vulnerabilities, and protects customers by ensuring that appropriate levels of cardholder information security are maintained. Visa has prioritized and defined levels of compliance validation based on the volume of transactions, the potential risk, and exposure introduced into the payment system by merchants and service providers.
|For a detailed description of:||Go to:|
|Visa merchant levels of compliance criteria and validation actions||Merchants|
|Service provider compliance criteria and validation actions||Service Providers|
The Visa Inc., Interlink, Inc., and Plus Systems, Inc. Operating Regulations govern the activities of member financial institutions and, by extension, merchants and service providers as participants in the Visa payment system.
Members must comply with the PCI DSS and are responsible for ensuring the compliance of their merchants, service providers, and their merchants' service providers. Merchant banks must include a PCI DSS compliance provision in all contracts with merchants and agents. Specific compliance requirements and validation criteria are provided at this website.
If a member, merchant or service provider does not comply with the security requirements or fails to rectify a security issue, Visa may fine the responsible member. Visa may waive fines in the event of a data compromise if there is no evidence of non-compliance with PCI DSS and Visa rules. To prevent fines a member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation. Additionally, a member must demonstrate that prior to the compromise the compromised entity had already met the compliance validation requirements, demonstrating full compliance.
For more information
To learn more about the Visa's compliance programs, contact Visa via email at AskVisaUSA@Visa.com.