Cardholder Information Security Program

CISP Overview

When customers offer their bankcard at the point of sale, over the Internet, on the phone, or through the mail, they want assurance that their account information is safe. That’s why Visa Inc. instituted the Cardholder Information Security Program (CISP). Mandated since June 2001, CISP is intended to protect Visa cardholder data–wherever it resides–ensuring that members, merchants, and service providers maintain the highest information security standard.

In 2004, the CISP requirements were incorporated into an industry standard known as Payment Card Industry (PCI) Data Security Standard (DSS) resulting from a cooperative effort between Visa and MasterCard to create common industry security requirements. Effective September 7, 2006, the PCI Security Standards Council (SSC) owns, maintains and distributes the PCI DSS and all its supporting documents. Visa, however, continues to manage all data security compliance enforcement and validation initiatives.

If you are a non-U.S.-based entity, please visit Visa International Account Information Security (AIS).

PCI DSS compliance is required of all entities that store, process, or transmit Visa cardholder data, including financial institutions, merchants and service providers. The PCI DSS applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce. Visa Inc.'s compliance programs manage compliance with the PCI DSS with the required program validation.

The PCI DSS offers a single approach to safeguarding sensitive data for all card brands. The PCI DSS consists of twelve basic requirements categorized as follows:

PCI Data Security Standard
Build and Maintain a Secure Network	Install and maintain a firewall configuration to protect data Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data	Protect stored data Encrypt transmission of cardholder data and sensitive information across public networks
Maintain a Vulnerability Management Program	Use and regularly update anti-virus software Develop and maintain secure systems and applications
Implement Strong Access Control Measures	Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data
Regularly Monitor and Test Networks	Track and monitor all access to network resources and cardholder data Regularly test security systems and processes
Maintain an Information Security Policy	Maintain a policy that addresses information security

By complying with the PCI DSS, Visa members, merchants, and service providers not only meet their obligations to the payment system, but also build a culture of security that benefits everyone.

Compliance validation

Separate and distinct from the mandate to comply with the PCI DSS is the validation of compliance whereby entities verify and demonstrate their compliance status. It is a fundamental and critical function that identifies and corrects vulnerabilities, and protects customers by ensuring that appropriate levels of cardholder information security are maintained. Visa has prioritized and defined levels of compliance validation based on the volume of transactions, the potential risk, and exposure introduced into the payment system by merchants and service providers.

For a detailed description of:	Go to:
Visa merchant levels of compliance criteria and validation actions	Merchants
Service provider compliance criteria and validation actions	Service Providers

Visa regulations

The Visa Inc., Interlink, Inc., and Plus Systems, Inc. Operating Regulations govern the activities of member financial institutions and, by extension, merchants and service providers as participants in the Visa payment system.

Members must comply with the PCI DSS and are responsible for ensuring the compliance of their merchants, service providers, and their merchants' service providers. Acquirers must include a PCI DSS compliance provision in all contracts with merchants and agents. Specific compliance requirements and validation criteria are provided at this website.

Compliance Fines

If a member, merchant or service provider does not comply with the security requirements or fails to rectify a security issue, Visa may fine the responsible member. Visa may waive fines in the event of a data compromise if there is no evidence of non-compliance with PCI DSS and Visa rules. To prevent fines a member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation. Additionally, a member must demonstrate that prior to the compromise the compromised entity had already met the compliance validation requirements, demonstrating full compliance.

Learn more

For more information

To learn more about the Visa's compliance programs, contact Visa via email at AskVisaUSA@Visa.com.

Top Downloads

Visa's Business Guide to Data Security
What to Do If Compromised PDF | 612k
Top Five Data Security Vulnerabilities PDF | 39k
CISP Overview PDF | 664k
PCI Data Security Standard
View all CISP downloads

Related Information

Card-Not-Present Fraud Detection
Improve detection capabilities with Card Verification Value2 (CVV2)
Account Data Compromise Recovery (ADCR)
Learn about a new recovery process that is used for magnetic-stripe data that has been determined as compromised.
Verified by Visa
Protect yourself--and your customers--from fraud.

Site Utilities

Navigation