Data Security

Data Security

Reassurance for your customers

All Visa merchants must take extra care to protect cardholder data from internal or external compromises. Find out how Visa's extensive security efforts help you safeguard your customers' information.

Merchant responsibilities

Data security should be a key component of all merchant policies and practices related to payment acceptance and transaction processing. As customers seek out merchants that are reputable and reliable, they expect assurance that their account information is being guarded and their personal data is safe.

  • Secure storage:According to the Visa U.S.A. Inc. Operating Regulations, merchants are responsible for ensuring that account information is stored in secure, limited-access areas. In addition, merchants are prohibited from storing magnetic stripe information following a transaction and disclosing cardholder data to anyone—except if it is needed by a merchant bank, card issuer, or third-party processor to complete a sale.
  • Prevent employee fraud scams:A merchant’s data security policies should also be designed to prevent fraud scams involving collusive employees. Whenever possible, account numbers should be encrypted or scrambled during transaction processing. Unauthorized electronic equipment—such as laptop computers—that can be used to steal or replicate account information should not be allowed in the workplace.
  • Encryption software:Data security should be of special concern to e-commerce merchants. Encryption software is required to protect account information during online transactions, and merchants must also ensure that account data cannot be accessed online. To make cardholder data "hacker-proof," merchants can either use firewalls—which may include encryption, passwords, or other protections—or store the account data on a computer with no Internet access.

Visa Cardholder Information Security Program (CISP)

The Visa Cardholder Information Security Program (CISP) applies to any entity that stores, processes, or transmits Visa cardholder information.

CISP consists of twelve basic requirements for safeguarding account data, supported by more detailed sub-requirements. These data security requirements apply to all members, merchants, and their service providers. Validation of compliance, however, is prioritized based on the volume of cardholder data and the potential risk introduced into the Visa system by merchants and service providers.

Learn more about Visa CISP.

Tips for protecting confidential business information

  • Empty the mailbox.Never leave outgoing or incoming mail in pick-up boxes overnight. This is your best defense against possible off-hour mail snoops.
  • Watch the fax.A document sitting on the fax waiting for pick-up is an open invitation for prying eyes. Try to stand by the fax machine to receive sensitive information as soon as it comes in.
  • Send email sparingly.When sending sensitive information via email, encrypt it first—or don’t send it at all. There’s always the possibility of cyber-thief interception or an accidental electronic distribution.
  • Make copies carefully.Private matters can go public fast when juicy stuff gets left behind. When making copies of sensitive documents, remember to grab your originals off the copy machine.
  • Use the shredder.Always shred sensitive information before dumping it in the trash bin. If you can’t shred, use receptacles designed for sensitive paper disposal.
  • Leave discrete voicemail messages.You never know who’s standing within earshot of someone’s work area, so avoid leaving a detailed voice-mail message if it involves sensitive information.
  • Protect your onsite ID.Play it safe with your ID badges, office keys, and building-entry codes. Protect them as you would your own credit cards and cash.
  • Keep things private in public.When you’re in a public place, think twice before discussing proprietary information or any details about sensitive projects. You never know who’s listening.
  • Identify strangers.Don't make it easy for an outsider to pull an inside job. If you see an unfamiliar face roaming around your office, step up and ask if you can assist. Make your presence known.
  • Be careful with your documents.Remove all sensitive materials from your work area when you’re not using them or at the end of the day. Be sure to lock them in the appropriate file cabinets, desk drawers, etc.
  • Note what's on your screen.Those account numbers and financial details on your computer screen are intended for your eyes only! To keep it that way, use a glare screen to minimize easy information access.
  • Limit cell phone conversations.Anyone can listen in on your cellular conversations. All it takes is a good ear and a decent scanner. Avoid sharing any sensitive information over a cell phone.

Related Information