Visa Merchant Business News Digest
The Visa Merchant Business News Digest provides a summary of recent Visa Business News publications that highlight key merchant-related publications. Updated monthly.
Visa is updating conditions for subscriptions using introductory trials/promotions
To enable greater transparency, choice, and control for customers, from 18 April 2020 Visa is updating its rules related to transactions at merchants that offer free trials or introductory offers as part of an ongoing subscription service.
December 11, 2019
Visa Security Alert (PSI): Cybercrime Groups Targeting Fuel Dispenser Merchants
In summer 2019, Visa Payment Fraud Disruption (PFD) identified three unique attacks targeting merchant point-of-sale (POS) systems that were likely carried out by sophisticated cybercrime groups. PFD recently reported on the observed increase of POS attacks against fuel dispenser merchants, and it is likely these merchants are an increasingly attractive target for cybercrime groups. Track 1 and track 2 payment card data was at risk in the merchant’s POS environments due to the lack of secure acceptance technology, (e.g. EMV® Chip, Point-to-Point Encryption, Tokenization, etc.) and non-compliance with PCI DSS. The activity detailed in this alert highlights continued targeting of POS systems, as well as targeted interest in compromising fuel dispenser merchants to obtain track data.
November 13, 2019
Visa Security Alert (PSI): Attacks Targeting Point-Of-Sale at Fuel Dispenser Merchants
In August and September 2019, Visa Payment Fraud Disruption (PFD) investigated two separate breaches at North American fuel dispenser merchants. The attacks involved the use of point-of-sale (POS) malware to harvest payment card data from fuel dispenser merchant POS systems. It is important to note that this attack vector differs significantly from skimming at fuel pumps, as the targeting of POS systems requires the threat actors to access the merchant’s internal network.
November 4, 2019
Visa Security Alert (PSI): New JavaScript Skimmer 'Pipka' Targeting eCommerce Merchants Identified
In September 2019, Visa Payment Fraud Disruption’s (PFD) eCommerce Threat Disruption (eTD) program identified a new JavaScript skimmer that targets payment data entered into payment forms of eCommerce merchant websites. PFD is naming the skimmer Pipka, due to the skimmer’s configured exfiltration point at the time of analysis (as shown below in the Pipka C2s). Pipka was identified on a North American merchant website that was previously infected with the JavaScript skimmer Inter, and PFD has since identified at least sixteen additional merchant websites compromised with Pipka.
October 23, 2019
Webinar: Compromise Event Reporting and Response
Visa hosted a webinar to review requirements, procedures and timelines for reporting and responding to a suspected or confirmed account data compromise event. In addition, the webinar will explore compromise trends and fraud schemes and the suite of Visa security capabilities designed to prevent and disrupt payment fraud.
September 27, 2019
Best Practices: Improve the Customer Return Process
Starting in October 2018, merchants that meet specific volume thresholds for purchase returns on Visa accounts will be required to process a purchase return authorization for each return. All other merchants are required to process purchase return authorizations beginning in April 2019.
August 6, 2019
Visa Security Alert (PSI): eCommerce JavaScript Skimming Campaign Targeting Service Providers
In April 2019, there have been at least eight eCommerce service providers who had been targeted with JavaScript skimming attacks. Visa Payment Fraud Disruption (PFD) found the same malware and the same infrastructure for data exfiltration used across these eight cases. In July 2019, researchers reported that these service provider attacks were much more significant than initially believed and affected over 17,000 domains that integrated code from the service providers targeted in April. The attacks were reportedly successful due to an automated process whereby the attackers scanned for misconfigured write permissions in a widely-used content delivery network (CDN).
PDF 213 KB
June 25, 2019
Visa Security Alert (PSI): Alina Point-of-Sale (POS) Malware Classifications
In June 2019, Visa’s Payment Fraud Disruption (PFD) analyzed a malware sample from the recent compromise of a North American hospitality merchant and identified the malware as a variant of the Alina Point-of-Sale (POS) malware family. Alina dates back to at least 2013, and is one of many malware strains that possesses a Random Access Memory (RAM) scraper, which is specifically designed to steal payment account information from the memory, or RAM, of the targeted system. Given the upload and compile dates, and recently observed operations leveraging Alina, PFD assesses Alina POS is in active use and remains a popular malware variant for POS targeting.
Also see Indicators of Compromise.
June 2019
Visa Payment Acceptance Best Practices for U.S. Retail Petroleum Merchants
The best ways to process card transactions and manage the risks posed by card payments in the fuel segment.
PDF 2.5 MB
April 1, 2019
Costco Members Tap Into Checkout
Tapping to pay is quickly becoming the standard way to pay at checkouts around the world. Driven by a continued focus on improving their member experience, Costco, a global retail leader, implemented contactless technology at the point-of-sale across more than 525 warehouses in the U.S. This case study provides an overview of their decision to make the transition to contactless, key steps they took and the impact they have seen as a result of implementation.
Mar 21, 2019
Visa Merchant Dispute Resolution Best Practices
This document is designed to help merchants properly handle transactions that have been charged back to their business by their acquiring bank. Here you will find best practices targeted to the needs of both card-present and card-absent merchants.
Feb 25, 2019
Visa Security Alert (PSI): FIN6 Cybercrime Group Expands Threat to eCommerce Merchants
Based on Visa Payment Fraud Disruption’s (PFD) analysis of eCommerce compromises throughout 2018, FIN6’s focus on the CNP environment has only amplified, suggesting that the cybercrime group has fully incorporated targeting CNP environments into their criminal methodology.
PDF 429 KB
January 29, 2019
Visa Security Alert (PSI): Same “PwnPOS” File Identified in Multiple Point-of-Sale Breaches in North America
Visa’s Payment Fraud Disruption (PFD) team was the first to link the exact same PwnPOS malware file hash across seven recent point-of-sale breaches reported since March 2018 in North America. It was also found that each of the PwnPOS malware files recovered from the 2018 breaches were the same across all compromises, rendering PwnPOS an easily identifiable malware family.
Also see Indicators of Compromise.
PDF 166 KB
November 15, 2018
Webinar: Review PCI Data Security Essentials (DSE) for Small Merchants
Visa hosted a webinar to review Payment Card Industry Data Security Essentials (PCI DSE) material to help acquirers and merchants understand how it may apply to them.
PDF 1.9 MB
September 20, 2018
PCI DSS Validation Best Practice Review
Visa hosted a webinar on September 20, 2018 to cover a brief introduction to PCI SSC and PCI DSS, as well as a discussion on best practice to review PCI DSS validation documents, including samples and examples of PCI DSS documents.
PDF 1.3 MB
September 13, 2018
Visa Security Alert: Purchase Return Fraud
Visa is aware of recent incidents in the U.S. in which criminals are committing fraud through processing fraudulent purchase return transactions. The fraud scheme involves cloned POS devices and funds are cashed out at ATMs after the purchase returns have been posted to the cards. The purpose of this Visa Security Alert is to provide clients with an understanding of the threat landscape and best practices for securing the environment.
PDF 392 KB
September 12, 2018
Improve the Customer Return Process
Starting in October 2018, merchants that meet specific volume thresholds for purchase returns on Visa accounts will be required to process a purchase return authorization for each return. All other merchants are required to process purchase return authorizations beginning in April 2019.
PDF 408 KB
September 5, 2018
Webinar: Threats from Website Add-ons and Ecommerce Trends
Visa hosted a webinar covering the threats from website add-ons and e-commerce breach trends. The webinar reviewed the common attack vectors and methods, malware injection techniques and overall e-commerce security trends and best practices.
PDF 2 MB
August 23, 2018
Webinar: Monetization of Financial Attacks
Visa hosted a webinar focusing on ATM cash out trends and issuer preventive measures. The session reviewed ATM cash out fraud and how the attacks are carried out. This is to provide an understanding of how to protect and defend against these schemes, as well as how Visa can help.
PDF 2 MB
August 1, 2018
EMV News - Quick Chip or Contactless Chip Frequently Asked Questions
Read about items of interest when deploying Quick Chip for EMV and Contactless as well as Streamlining Contactless Level 3 Chip Certifications.
PDF 523 KB
July 19, 2018
Visa Security Alert (PSI): Fraudsters targeting call center chat and non-voice channels (Chatbots)
A growing industry trend to deploy online chat and non-voice channel services within call centers and merchant online environments may introduce potential risks to the users of these services. Visa Payment Systems Intelligence (PSI) identified increasing instances of criminals targeting these online services to obtain payment data. The purpose of the attached Visa Security Alert is to provide clients with an understanding of the threat landscape and best practices for securing this environment.
PDF 222 KB
July 27, 2018
U.S. Automated Fuel Dispenser EMV Liability Shift Delayed
Visa has been working with merchants, acquirers, and fuel-industry providers to support migration to the more secure EMV technology. The EMV liability shift is designed to better protect all parties. With the new rules, the party that is the cause of a chip transaction not occurring, either the issuer or acquirer, will be held financially responsible for any resulting card-present counterfeit fraud losses. However, due to challenges with EMV Automated Fuel Dispensers (AFD) solution readiness, Visa is delaying the U.S. domestic AFD EMV liability shift date to 1 October 2020.
PDF 354 KB
July 6, 2018
Counterfeit Fraud Mitigation Best Practices - Point-of-Sale Merchants Who are Not EMV Chip Enabled
Four best practices that merchants can implement to help reduce counterfeit fraud for point-of-sale transactions.
PDF 929 KB
June 25, 2018
Chip Payment Acceptance for Restaurant Merchants - Understanding Tip and Gratuity Options
This flyer provides information about chip acceptance at restaurants and the options available for adding tips to the final transaction amount.
PDF 586K
May 24, 2018
Machine learning in the payments industry
Visa hosted a webinar providing an overview of machine learning; specifically, how machine learning is applied in the payment industry, decision making with machine learning, threats from machine learning based attacks, and managing and monitoring of machine learning.
PDF 969 KB
May 18, 2018
Counterfeit Fraud Mitigation Best Practices for Service Station Transactions - Fuel Merchants Who Are Not EMV Chip Enabled
This flyer provides best practices to help reduce counterfeit fraud for service station transactions where merchants are not yet accepting chip cards.
PDF 447 KB
May 18, 2018
Counterfeit Fraud Mitigation Tools for Automated Fuel Dispenser Transactions
This document describes 3 tools that can be used to help reduce counterfeit fraud on AFD transaction.
PDF 1015 KB
May 17, 2018
Providing the Proper Location of Your Merchant Business
This flyer provides clarification of the rules which detail how a merchant should identify the proper location for all transactions processed through the Visa system. Providing the proper information helps prevent unnecessary cardholder disputes and reduces additional risk to the Visa system.
PDF 462 KB
April 18, 2018
Webinar: New PCI SSC Data Security resources for small merchants
Visa hosted a webinar to highlight new data security resources available to small merchants through the Payment Card Industry Security Standards Council (PCI SSC). The webinar reviewed recent updates to the Qualified Integrator and Reseller Program and other educational resources designed to help small merchants better understand how to protect their acceptance environment and the Visa payment system.
PDF 798 KB
April 14, 2018
Signature requirement will become optional for EMV-enabled merchants in U.S. and Canada
New options for merchants in the U.S. & Canada From 14 April 2018, EMV-enabled merchants in the U.S. and Canada have the option to stop capturing signatures as a method of cardholder verification. Those same merchants will also no longer be required to retain and store transaction receipts.
PDF 192 KB
April 9, 2018
Online Dispute Guide for Merchants
Smaller merchants often ask for help with responding to transaction disputes. Visa developed an online guide for merchants to assist these smaller merchants with their disputes.
April 9, 2018
Dispute Management Guidelines for Visa Merchants
Managing disputes, copy requests, and dispute conditions
PDF 2.1 MB
March 2018
Merchant Frequently Asked Questions
The Merchant Frequently Asked Questions provides merchants with frequently asked questions regarding Visa Claims Resolution.
PDF 308 KB
Clarifications on stored credentials and MIT framework mandates
February 07, 2018
As the payment system has evolved, instances in which a transaction is initiated with a stored credential based on a cardholder’s consent for future use have increased to significant levels. To help merchants and acquirers understand the Stored Credential and Merchant Initiated Transaction framework, Visa is summarizing the requirements and implications through this supplemental document. Please refer to October 2016 VisaNet Business Enhancement Global Technical Letter and Implementation Guide for full details.
PDF 218 KB
Security Bulletin (PSI Alert): protect against ecommerce malware
January 10, 2018
eCommerce malware infections are a continued contributor to global fraud in the Card-Not-Present space. To help merchants combat fraud resulting from these global and persistent attacks, Visa is providing guidance and best practices for merchants to help secure their online stores.
PDF 127 KB
Visa Security Alert (PSI Alert): Cybercriminals leveraging dynamic data exchange (DDE) protocol
November 14, 2017
Visa has become aware of the rise in phishing campaigns throughout the payments ecosystem. The primary cybercriminal exploitation method begins with a phishing e-mail and relies on the Dynamic Data Exchange (DDE) protocol for infection instead of malicious macros or an exploit kit. Visa is providing this alert to ensure awareness of the cyber threats actively exploiting this Microsoft Windows feature.
PDF 625 KB
Webinar: Monthly client data security communication
November 14, 2017
Visa hosted a webinar for clients to present an overview of Visa's new monthly client data security communication. To assist clients in managing their sponsored merchant and third party agent compliance with Visa’s data security validation requirements, effective November 2017, Visa will provide clients with a monthly report listing all merchants and third party agents due to revalidate compliance against the Payment Card Industry Data Security Standard and/or PCI PIN Security Requirements.
PDF 977 KB
November 1, 2017
Webinar (PSI Alert): Emerging threat: card-not-present breaches
As counterfeit fraud becomes more challenging for fraudsters globally, they have shifted their focus to the card-not-present channel. Cybercriminals are targeting e-commerce transactions to exploit common vulnerabilities and compromise static payment data. In particular, the e-commerce space has seen developments in malware, modified source codes and database triggers.
PDF 1.1MB
October 1, 2017
Visa Claims Resolution - Efficient Dispute Processing for Merchants
Visa Claims Resolution, a new global initiative will replace Visa’s existing dispute resolution process. VCR will simplify dispute processing by migrating from a litigation-based approach to a liability-assignment-based approach. This flyer describes the new process, consolidation of reason codes, and merchant benefits.
PDF 2.1 MB
September 27, 2017
Visa account updater and real time Visa account updater
Visa understands the challenges faced by merchants when it comes to staying on top of account information changes. Outdated credential-on-file information can lead to declined transaction and cardholder inconvenience. Increase authorization approvals and reduce customer service issues and expense with Visa Account Updater (VAU). VAU offers two solutions that solve this problem; VAU and Real Time VAU.
PDF 123 KB
September 19, 2017
Webinar Deck: 2017 Visa security symposium recap
Visa hosted a webinar to discuss the topics and key take-aways from the 2017 Visa Security Symposium. This webinar highlighted the importance of securing a connected world. In today’s digital age, proper checks on data security and risk management are essential to defending the payments ecosystem.
PDF 1.7 MB
September 1, 2017
Automated fuel dispenser EMV implementation
Fuel dispenser chip card acceptance is the more secure way to accept Visa cards at your fuel dispensers, and the best way to avoid liability for counterfeit fraud. The sooner it is done the better for a number of reasons.
PDF 71 KB
August 18, 2017
Automated Fuel Dispenser (AFD) fraud prevention best practices
This document reviews best practices for fuel merchants for preventing Automated Fuel Dispenser (AFD) fraud.
PDF 55 KB
August 01, 2017
Visa Bulletin: Play it safe this summer
Do you know who handles your data? Working with the right partners is crucial to protecting the cardholder environment. Ensuring that players prioritize security can help you score a security home run this summer.
PDF 789 KB
July 20, 2017
Visa Bulletin: Data compromise reporting requirements
Visa has observed an increase in network intrusions involving service providers, re-breaches of merchant payment environments and skimming incidents involving Point of Sale (POS) device overlays. Visa is issuing this alert to make Members and entities aware of their obligations to investigate and immediately report all data compromise events.
PDF 263 KB
July 6, 2017
Visa Authorization and Reversal Processing Guide
The best practices in this document allow merchants to maximize the financial benefits of this authorization processing capability, while creating the best experience for the customer.
PDF 602 KB
May 31, 2017
Webinar: Risk Management Trends in the Global Payments Ecosystem
Visa hosted a webinar providing an overview of the trends in the global payment system – from protection to authentication. This webinar highlights the effects more players and digitization have on the payments ecosystem and what that might mean for data security, fraud management and cyber intelligence in the future.
PDF 1.5 MB
May 4, 2017
PSI Alert: Detecting and Mitigating Persistent Javascript eCommerce Malware
In February 2017, analysts identified a new technique used with JavaScript-based eCommerce malware that enables the malware to re-infect the website automatically upon incomplete removal. Visa is providing this report in order to alert eCommerce merchants to this malware technique, and to provide detection and mitigation methods if this malware is discovered.
PDF 520 KB
April 07, 2017
Pay Acceptance for US Quick-Service Restaurants
The information contained in the Visa Payment Acceptance Best Practices for U.S. Quick-Service Restaurants guide is geared toward the actions and decisions most pertinent to quick-service restaurants and operators in the U.S. It also includes best practices and on-the-job support tools for managers and employees.
PDF 4.6 MB
April 06, 2017
Visa Partial Authorization Service – Improve the Customer Experience and Increase Sales
Visa provides a Partial Authorization service that provides an alternative to declining a transaction when the card’s available balance is not sufficient to approve a transaction in full. This flyer provides information about the benefits realized, how to use the service, and answers to frequently asked questions.
PDF 206 KB
March 29, 2017
Third Party Risk Program Initiatives
Webinar deck highlights tools and resources that are available to clients and merchants to mitigate risks when selecting a service provider partner. Additional highlights include Third Party Agent Risk Program initiatives, including unregistered agent campaigns and multiple tool enhancements.
PDF 1.1 MB
March 1, 2017
PSI Alert: Flokibot Malware
Multiple information security firms have reported on the emerging threat of a new malware variant identified as “Flokibot.” While Flokibot attacks have focused on the LAC region to date, this malware may represent a broader threat to the payments ecosystem. Visa is publishing this alert in order to provide clients and stakeholders with technical information, including background on the malware, indicators of compromise and suggested mitigation activities to protect the payments ecosystem.
PDF 488 KB
February 21, 2017
Visa Publication: Racing to Security
It is always a great opportunity to set goals and make plans to achieve them. While motivation is at an all-time high, consider taking the following actions to help secure the payments ecosystem at the merchant level.
PDF 426 KB
February 01, 2017
Card Acceptance Guidelines for Visa Merchants
Download this comprehensive manual for all businesses that accept Visa transactions in the card-present and/or card-absent environment. This guide provides the latest information and best practices to help merchants process Visa transactions, understand Visa products and rules and protect cardholder data while minimizing the risk of loss from fraud.
PDF 5.9 MB
January 18, 2017
Manual Key Entry and Card Verification Value 2 for US Merchants
Outlines upcoming changes to the acceptance process at the point of sale for merchants using chip acceptance devices.
PDF 216 KB
December 30, 2016
PSI Alert: General Skimming Alert
As the US market migrates to EMV chip, the fraud threat from criminals placing skimming devices on, or in, attended and unattended point-of–sale (POS) devices for the purpose of collecting payment card information, including PIN numbers, increases. Perpetrators use skimmed payment information to quickly create counterfeit cards re-encoded with the stolen card information typically resulting in ATM withdrawals. To help clients combat skimming, Visa is providing guidance on recommended inspection and response actions. This data security alert may be disseminated to all payment system stakeholders.
PDF 111 KB
December 8, 2016
Webinar: Preventing Card-Not-Present Fraud
Chip card technology in the U.S. has created new challenges for committing fraud at the physical point of sale. Data compromises continue to occur, with fraud migrating online and into other card-not-present channels. As a result, some merchants may experience an increase in chargebacks and transaction declines, cutting into their profitability. In this webinar, learn about current fraud trends and strategies to mitigate fraud in e-commerce. Visa shares common flags for card-not-present fraud and methods for managing and resolving transaction disputes.
PDF 1.3 MB
November 17, 2016
Bulletin: Cyber Monday: Layer Up for Safer Holiday Sales
Global eCommerce sales are expected to double from 2015 to 2019. While growth in this sales channel creates great opportunities for merchants, it also has the ability to attract high levels of fraud activity. With the holiday season fast approaching, merchants should understand how to best protect against Card Not Present Fraud.
PDF 678 KB
November 16, 2016
Webinar: Top 10 Signs of a Payment Data Breach
Recognizing the signs of a cyber-attack can make the difference between falling victim to a Point-of-Sale compromise and stopping a breach in progress or preventing one altogether. Through research and intelligence gathered from payment data breach investigations, Visa identified many common tactics, attack characteristics and malware types across breaches in every merchant vertical. Learn some of the new developments in Point-of-Sale network attacks and gain insights into data exfiltration methods as well as how to spot the common warning signs of a breach within the payment environment. Knowing the attacker’s tactics and tools goes a long way in building better defenses.
PDF 607 KB
October 26, 2016
Webinar: EMV Migration - Not as Scary as it Used to Be
With steady progress and growth of EMV since October 1, 2015, there are now more than 1.46 million chip-enabled businesses and 363 million chip-enabled Visa cards, making the U.S. the largest Visa chip card market in the world. The number of Visa chip transactions surpassed half a billion in the month of August, representing a 1,000+ percent annual increase. As we reach the one-year anniversary of the EMV liability shift, many questions remain regarding the process behind the migration and the advancements made in the past year. This session discussed why the U.S. moved to EMV, the progress the industry and Visa has made in the past year, analyze early results and updates on further enhancements, such as Visa Quick Chip.
PDF 1.1 MB
September 30, 2016
Small Merchant Security Program – QIR Infographic
As part of a broader effort to mitigate small merchant breaches, Visa Payment System Risk established new data security program requirements for U.S. and Canadian acquirers with an effective date of January 31, 2017. This infographic addresses the most common questions on the topic of the small merchant validation and Qualified Integrator/Reseller (QIR) requirements.
PDF 800 KB
September 28, 2016
Webinar: Effectively Managing Account Data Compromises
Protecting the payment system is a shared responsibility. During this webinar, Visa experts shared latest compromise trends, mitigation strategies, and the latest 'What To Do If Compromised' document.
PDF 3.6 MB
September 26, 2016
PSI Alert: Protect Against ATM Cash-Out Fraud
Visa has seen an increase in global ATM cash-out fraud, which can extract millions of dollars from financial institutions in a short time. The key to limiting losses is quick detection and decisive action, carefully coordinated with Visa. ATM cash-out fraud can happen at any time, anywhere in the world. It often affects issuers in one country and acquirers in another. To help clients combat this global and sophisticated type of fraud, Visa is providing guidance and best practices.
PDF 116 KB
August 30, 2016
PSI Alert: ATM Malware Compromise
In late August 2016, Visa became aware of a recent ATM malware compromise in SoutheastAsia and is providing indicators of compromise (IOCs) in order to enable security and incident response teams of financial institutions and ATM manufacturers to check and secure network environments. While these IOCs are specifically associated with an investigation involving ATMs in the Southeast Asia incident, Visa notes that the methods employed by the criminals in this incident represent a broader criminal threat to ATM manufacturers/models worldwide and their deployers.
Visa previously published a technical analysis on malware, including filenames, malware hashes, and criminal methodology involved in a separate ATM Jackpotting incident in the Asia-Pacific region. While there are similarities between the two events, this notification serves to highlight key differentiators –including malware and methodologies - pertaining to the incident in Southeast Asia.
PDF 641 KB
August 24, 2016
Webinar: Guarding Against Card-Not-Present Fraud
Mobile purchases increased to nearly one in five online orders and generated about $69.1 billion during the most recent holiday season. As mobile payments grow, fraud risks increase. Knowing the differences between eCommerce and mCommerce fraud is a critical first step in protecting merchants. Visa and CyberSource experts explain how a process-based approach can help clients detect and control mobile fraud.
PDF 1.75 MB
August 12, 2016
PSI Alert: Oracle MICROS Compromise
On Monday, 8 August 2016, Oracle Security informed Oracle MICROS customers that it had detected malicious code in certain legacy MICROS systems. Oracle is currently investigating the compromise, and as of 12 August 2016, the company has not published details about the cause/s.Visa is issuing this alert to provide indicators of compromise (IOCs) associated with cybercrime threats known to have previously targeted Oracle systems.
PDF 682 KB
August 9, 2016
Webinar: Protect the Payment System from Account Testing and Fraudulent Authorizations
Visa shares the profile of criminal account testing and associated fraudulent authorizations, and the best practices that payment operations groups must deploy to restrict fraud.
PDF 2.5 MB
August 4, 2016
Webinar: PCI DSS Small Merchant Resources
The PCI Security Standards Council convened a small merchant business taskforce to provide guidance and feedback to prepare resources that simplify data security for some of the most vulnerable businesses preyed upon by cybercriminals. Relying on cross-industry expertise to help small merchants understand why and how to protect payment card data and resolve risks to their businesses the taskforce has developed a toolkit to aid this effort.
PDF 1.5 MB
August 4, 2016
PSI Alert: ATM Jackpot Malware
Visa highlights the ATM “Jackpotting” incidents in the attached data security alert. This publication provides information regarding indicators of compromise (IOCs) as well as recommendations for response.
PDF 586 KB
July 15, 2016
PSI Alert: Magento Vulnerabilities Affecting Ecommerce Merchants
Magento is a popular open-source, e-commerce platform written in PHP. Several critical and high vulnerabilities were discovered and patched on the Magento platform in January 2016. Merchants who have not deployed security patch SUPEE-7405, as required by PCI standards, are vulnerable to remote exploits that can compromise account data. Document shares a description and impact of Magento and provides detection and mitigation steps.
PDF 302 KB
July 12, 2016
PSI Alert: PoSeidon Malware persistence Monitoring
In March 2016, the PoSeidon (point-of-sale) PoS malware was modified with the incorporation of a persistence monitoring capability. PoSeidon malware now actively monitors the PoS system processes in order to maintain the infection and malware functionality. If the malware is removed from the system, the monitor process waits two (2) minutes and re-infects the system. Document provides an overview of the threat and risk description and best practices to mitigate against PoSeidon.
PDF 339 KB
Jun 28, 2016
Webinar (PSI Alert): Skimming at the Point of Sale
In response to a rise in incidents in which skimming devices were placed on POS terminals to collect payment card information, Visa shares typical skimming events that affect self-checkout terminals and the ways in which perpetrators carry out these attacks and how merchants can identify and properly manage these incidents.
PDF 3.5 MB
Jun 14, 2016
Manual Key Entry and Card Verification Value 2 for Merchants
Outlines upcoming changes to the acceptance process at the point of sale for merchants using chip acceptance devices.
PDF 198 KB
Jun 1, 2016
Online Pharmacy Guide for Acquirers
A manual for acquirers who have boarded, or are considering boarding, an Internet pharmacy or Internet pharmacy referral merchant.
PDF 1.2 MB
May 12, 2016
Visa Bulletin: Payment Card Industry Data Security Standard Version 3.2 Published
The Payment Card Industry Security Standards Council (PCI SSC) has published version 3.2 of the PCI DSS, which provides a baseline of technical and operational requirements designed to protect cardholder data. The bulletin includes key updates, effective dates for implementation and additional resources.
PDF 285 KB
May 12, 2016
PSI Alert: Threat Landscape - PIN PAD/POS SKIMMING
A Visa security alert describing recent incidents involving suspects placing skimming devices on point-of–sale (POS) terminals for the purpose of collecting payment card information, including PIN numbers.
PDF 106 KB
May 11, 2016
PCI DSS: A Look Inside V3.2
The Payment Card Industry Standards Security Council (PCI SSC) which is responsible for defining the technical and operation standards for the protection of payment card data will release an update to the PCI Data Security Standard (PCI DSS) in late April 2016. Visa’s representatives on the PCI SSC will provide information on what to expect with Version 3.2, review the key changes associated with this release and outline dates and impacts to Visa compliance programs.
PDF 819 KB
Apr 21, 2016
Processing Refunds to Cardholders in a Merchant Store Location
Following Visa’s requirements for processing a refund will help keep your customers informed and reduce the number of questions you may receive as the result of a return. This flyer describes best practices in processing a refund to a cardholder’s account.
PDF 789 KB
Apr 18, 2016
Enabling Omni Commerce A Seamless Shopping Experience
Many merchants are creating an omni-channel experience for their customers that provides convenient, seamless and secure delivery across all of their channels, including in-store, eCommerce, telephone, mobile web, and mobile app. This flyer describes the omni-channel experience depending on the payment and delivery option selected by the customer.
PDF 654 KB
Apr 13, 2016
Identifying, Preventing and Mitigating Skimming Attacks
Visa and a guest speaker from NCR Corporation discuss the latest skimming techniques and technology, as well as, how to spot skimming devices and safeguard against sophisticated attacks.
PDF 10.3 MB
Mar 23, 2016
Stay One Step Ahead of Hackers With Visa Threat Intelligence
Visa and a guest speaker from FireEye explain how financially motivated attackers are targeting customer data and the payment ecosystem. The session dived into security vulnerabilities and techniques hackers use to steal customer information, including payment card data. Visa subject matter experts also provide valuable cyberthreat indicators, risk mitigation strategies and practical guidance on how to detect these threats and secure systems from attack.
PDF 1.4 MB
Mar 4, 2016
Quick Service Restaurants-Chip Card Acceptance in the US
A flyer for quick service restaurants demonstrating how to use a chip cards for payment at the point of sale.
PDF 735 KB
Feb 24, 2016
Third Party Risk Program
Visa provides an overview of the risks third parties may introduce into the payment ecosystem and recent program updates and mandates (including small merchant and use of Qualified Integrators and Resellers). Additionally, highlights tools and resources available to issuers, acquirers and merchants when selecting service provider partners.
PDF 1.7 MB
Feb 1, 2016
Webinar (PSI Alert): “Kuhook” POS Malware
Visa highlights “Kuhook” Point-of-Sale (POS) malware, a variant from the “ModPOS” malware family. This point of sale malware, “Kuhook”, is one of the most sophisticated and difficult to detect payment card stealing malware identified. Visa experts and Mandiant highlight the malware capabilities, indicators of compromise and mitigation steps.
PDF 4,770K
Jan 29, 2016
Let your customers know you accept Visa
Learn how best to communicate that you accept Visa cards and/or mobile payments with Visa. Download the Visa POS Graphic for display at physical locations, on payment terminals and on websites.
ZIP 2.6M
Jan 15, 2016
"Visa Publication: New Year's Resolution: Resolve to Fight Malware"
Visa shares best practices to help mitigate against malware attacks.
PDF 330K
Jan 07, 2016
Update to Small Merchant Data Security Requirements and Frequently Asked Questions
Updates to the small merchant data security requirements for U.S. and Canada acquirers. These requirements involve the use of Qualified Integrators and Resellers (QIRs) and required PCI DSS validation. This document includes Frequently Asked Questions about the data security requirements.
PDF 193K
Dec 22, 2015
Visa Security Alert: Lodging Holiday Season
Visa has identified multiple malware families targeted the lodging industry, including casinos and resorts. To name a few, “FindPOS” (or “Poseidon”), “FrameworkPOS”, and “rawpos” are confirmed in several Visa investigations, suggesting the industry continues to be attractive to attackers interested in payment card data. This publication provides information on each malware family along with security best practices to mitigate this threat.
PDF 311K
Dec 18, 2015
Visa Best Practices: Visa Checkout Merchant Holiday Best Practices
Visa recommends best practices to help merchants mitigate fraud attacks during the holiday season.
PDF 340KB
Dec 17, 2015
Webinar (PSI Alert): “BlackPOS” Malware Revisited
Visa highlights “BlackPOS” malware, a malicious payment card-stealing software targeting point-of-sale systems. “BlackPOS” collect payment card data in ways that are difficult to identify and detect. Visa experts explains how it works, its methods of communication and maintaining stealth, and provides indicators of compromise for detection and eradication.
PDF 629K
Dec 16, 2015
Multiple Malware Families Targeting Lodging Merchants
Visa has identified multiple malware families (“FindPOS”, “FrameworkPOS”, and “rawpos”) being used to target the lodging industry, including casinos and resorts.
PDF 314K
Dec 08, 2015
Visa Custom Payment Service (CPS) – Rate options for electronic commerce retail merchants
Lists qualification criterial for custom payment service rates available to retail merchants in the electronic commerce space. Also provides information about key Visa products for validating the identity of cardholders.
PDF 405K
Dec 08, 2015
Visa Minimum U.S. Online Only Terminal Configuration
Information for U.S. merchants, acquirers, processors and terminal providers planning deployment of EMV chip terminals in the U.S.
PDF 1.2M
Dec 03, 2015
Webinar (PSI Alert): “Kuhook” Point of Sale Malware
Visa has identified a variation of malware (from the ModPOS malware family) targeting Point-of-Sale (POS) systems designed to run on Microsoft Windows. Codenamed “Kuhook,” the malware utilizes keylogger and memory scraping/parsing functionality. The malware is a sophisticated set of kernel mode device drivers written for the Windows XP platform and is compressed to make the source code and data unreadable.
PDF 160K
Nov 24, 2015
Authorization Reversals – The importance of providing the correct information
This flyer explains the importance of reversing authorizations properly and provides the required fields used in the reversal process.
PDF 324K
Nov 17, 2015
Strategies to Effectively Mitigate Fraud
Visa and CyberSource experts explore CNP risk methodologies to optimize the consumer experience and reduce false declines while minimizing fraud losses. Additionally, Visa tools such as CVV2, AVS, Verified by Visa – among others – were covered in great detail as well as CyberSource’s Decision Manager
PDF 2.06M
Nov 13, 2015
PSI Alert: Update – Cybercriminals Targeting Point of Sale Integrators
Updated data security alert highlighting attacks on point of sale integrators or resellers. This alert outlines attack vectors and mitigation strategies.
PDF 429K
Nov 13, 2015
Chargeback Management Guidelines for Visa Merchants
Managing chargebacks, cardholder disputes, copy requests, and chargeback reason codes
PDF 5.1M
Oct 29, 2015
New Small Merchant Data Security Requirements
Requirements for U.S. and Canada acquirers to ensure that their small merchants take steps to secure their point-of-sale (POS) environment. Merchants must use Qualified Integrators and Resellers (QIRs) and Level 4 merchants must validate PCI DSS compliance.
PDF 414K
Oct 21, 2015
Data Security Basics for Small Merchants
Valuable information for small merchants, including franchisees, highlighting the importance of protecting their customer's cardholder data, explaining the Payment Card Industry (PCI) Data Security Standards (DSS), and providing tools, solutions and strategies to use to help mitigate the risk of fraud and data breaches.
PDF 416K
Oct 21, 2015
Data Breach Findings and Mitigation Actions for the Payment System
Visa explores common security vulnerabilities identified in data breaches and provides mitigation strategies that help to strengthen those payment processing environments.
PDF 926K
Sep 21, 2015
Airline Industry Ancillary Transaction Data Standard - Improved recognition for airline transactions
This flyer describes options to help airline merchants provide additional information when posting ancillary transactions, such as baggage fees and on-board meals.
PDF 855K
Sep 11, 2015
Visa Prepayment Transactions - Pay Now and Get Later
Information relating to the prepayment of merchandise when it is not immediately available. Includes requirements relating to cardholder consent, merchant policy, and transaction receipts.
PDF 537K
Sep 02, 2015
The Importance of Containment and Remediation of Compromised Payment Processing Environments
Visa analyzes the underlying causes of recurring breaches and the downsides to "check the box" cyber incident response. Breach preparedness and incident response best practices are provided to help respond to a breach the right way.
PDF 615KB
Aug 26, 2015
2015 Visa Payment Security Symposium Recap
A summary of the 2015 Payment Security Symposium held August 12-13, 2015.
PDF 2.78MB
Aug 25, 2015
Implement Effective Penetration Testing
The presentation deck of a panel of industry experts discussing the importance of effective penetration testing, including how to identify a tester and define the scope of a test.
PDF 547KB
Aug 20, 2015
Windows Server 2003 End of Life
Microsoft will no longer support or issue security fixes for Windows Server 2003 after July 14, 2015. This poses a greater risk to the data security of a company utilizing Windows Server 2003. Furthermore, as of July 15, 2015 companies using this software may no longer be in compliance with Payment Card Industry Data Security Standard (PCI DSS).
PDF 387KB
Aug 18, 2015
Guaranteed Reservations for Merchants - Making It Easier to Do Business with Visa
This flyer identifies the merchant types that are now eligible to process guaranteed reservations and provides the rules that must be followed by reservation merchants.
PDF 891KB
Aug 17, 2015
Strengthening Merchant Point-of-Sale (POS) Security
A checklist of best practices to protect your business from malicious remote access activity associated with unauthorized access to merchant Point-of-Sale (POS) environments via POS integrators.
PDF 90K
Aug 5, 2015
Payment Card Data and Protected Health Information Security Practices
Visa explores threats and security practices for protecting payment card data and personally identifiable information in the health care industry.
PDF 1.64M
Jul 22, 2015
Managing Network Segmentation in Payment Environments
Visa reviews how flat networks or networks without adequate network segmentation make it easy for an attacker to pivot and traverse the network after it has gained entry. Properly segmenting the network can greatly reduce PCI scope, controls, and costs. Also provided are recommendations, benefits and principles of network segmentation, and how to best defend against network threats and vulnerabilities.
PDF 1.15M
Jun 5, 2015
PSI Alert: Cybercriminals Targeting Point of Sale Integrators
Visa has observed a considerable increase in malicious remote access activity associated with unauthorized access to merchant Point-of-Sale (POS) environments via POS integrators.
PDF 519K
May 27, 2015
Effectively Managing Data Breaches
Learn about Visa’s investigation lifecycle and containment procedures to help minimize payment card fraud.
PDF 1M
May 26, 2015
5 Important Visa Rules That Every Merchant Should Know
This flyer informs merchants about key card acceptance procedures that will help them avoid being out of compliance with Visa rules.
PDF 601K
Apr 29, 2015
Identifying and Mitigating Threats to E-commerce Payment Processing
Visa explores threats observed in e-commerce payment processing systems, including merchants, web applications, and other internet-facing systems
PDF 1M
Apr 15, 2015
Creating, Developing and Instituting an Effective Incident Response Plan
An incident response plan is crucial to responding to a data breach and further protect payment environments
PDF 1.1M
Mar 25, 2015
Breach Findings for Small Merchants
Data breach findings and mitigation action items for small merchants.
PDF 331K
Mar 05, 2015
Visa Optimizes Dispute Rules - New Avenues for Card Not Present Merchants
This document outlines changes to the dispute resolution rules concerning compelling evidence. The changes will be effective 17 October 2015
PDF 429K
Mar 01, 2015
PSI Alert: Carbanak (Anunak) Advanced Persistent Threat
Impact and mitigation of "Carbanak" malware
PDF 307K
Mar 01, 2015
PSI Alert: “Rawpos” Malware Targeting Lodging Merchants
The “rawpos” malware is a memory scraper infecting global lodging merchants.
PDF 1M
Jan 28, 2015
Breach Findings for Large Merchants
Data breach findings and mitigation action items for large merchants.
PDF 592K
Dec 31, 2014
Retirement of Pre-PCI Attended POS PIN Entry Devices
Pre-PCI POS PEDS must be removed by May 5, 2010.
PDF 144K
Dec 1, 2014
Automated Fuel Dispenser Fraud Mitigation
Strategies for long-term risk management
PDF 707K
Oct 29, 2014
SSL 3.0 “POODLE” Vulnerability
Impact and mitigation of “POODLE” vulnerability
PDF 112KB
Aug 20, 2014
North America Payment Card Security and Technology Symposium Recap
A review of the 2014 North America Payment Card Security Symposium.
PDF 447KB
Aug 14, 2014
Fraudulent Credits Trend: ATM Reversals
Scheme using compromised merchant information to issue fraudulent credits with ATMs.
PDF 130KB
Aug 14, 2014
Chip Payment Acceptance - Putting it Into Perspective for Small-Ticket Unattended Merchants
Common myths of accepting chip cards, and information on implementing chip acceptance for your business.
PDF 296KB
Aug 14, 2014
Fraudulent Credits Trend: ATM Reversals
Scheme using compromised merchant information to issue fraudulent credits with ATMs.
PDF 130KB
Aug 8, 2014
Upgrading Your Point-Of-Sale (POS) Infrastructure to Accept Chip Cards
Key points to discuss with your acquirer when determining the best options for upgrading terminals to accept chip cards.
PDF 667KB
Aug 8, 2014
Tap Into the Power of EMV Chip Technology and Start Building Your Future Today
Reasons for the movement to chip technology in the U.S. and information on the migration strategy.
PDF 774KB
Aug 8, 2014
Play it Smart With U.S. Chip Payment Transactions
T&E merchants: movement to chip technology in the U.S. and how chip cards are used with chip terminals during transactions
PDF 1.2MB
Aug 5, 2014
Pharmaceutical Guidelines Overview
Guidelines for online merchants looking to sell pharmaceuticals.
PDF 1.5MB
Aug 1, 2014
Optimize Your Cross-Border Ecommerce Payment Acceptance - Best practices for ensuring proper disclosures and improving the customer experience
Visa International ecommerce rules, foreign currency transactions, and cross-border payment disclosures and processing.
PDF 773KB
Jul 31, 2014
U.S. CERT Advisory: Backoff Point of Sale Malware
U.S. CERT advisory of “Backoff” malware family targeting Point-of-Sale systems
PDF 967KB
Jul 8, 2014
Improving Dispute Resolution for Merchants Globally
Upcoming changes to the dispute resolution process that will be effective for chargebacks processed on or after 18 April 2015
PDF 321KB
Jul 1, 2014
Insecure Remote Access and User Credential Management
How to mitigate insecure remote access and user credential management.
PDF 143K
Jun 1, 2014
New Visa Brand Mark and Card Design Features
This guide illustrates the new Visa Brand Mark on Visa cards and new card design features.
PDF 257KB
Apr 8, 2014
Windows XP’s End of Life: Understanding the Risks and Impact to Point-of-Sale and Automated Teller Machines
Expiration of Windows XP support can negatively impact merchants.
PDF 444KB
CPS/Card Not Present - Protect Your Business and Reduce Operating Costs
How mail and phone order merchants can qualify transactions for CPS, safeguard themselves, and lower operating costs.
PDF 525KB
Apr 1, 2014
OpenSSL "Heartbleed" Vulnerability
Impact and mitigation of OpenSSL "Heartbleed" vulnerability.
PDF 116KB
Mar 17, 2014
Processing Split-Shipment Card-Absent Transactions – Merchant Best Practices
Expanded use of multiple clearings for split-shipment card-absent transactions, and best practices for employing this process.
PDF 642KB
Mar 6, 2014
Chewbacca Point-of-Sale (POS) Malware
Impact and mitigation of "Chewbacca" Point-of-Sale malware
PDF 129KB
Feb 19, 2014
Preventing ATM Skimming (Spanish)
Spanish language guidelines to prevent ATM skimming.
PDF 1.9MB
Feb 1, 2014
Retail Merchants Targeted by Memory-Parsing Malware - UPDATE
Updated alert involving memory-parsing malware
PDF 59KB
Jan 10, 2014
Reducing Counterfeit Fraud Through Acceptance Best Practices
Counterfeit fraud prevention best practices and procedures for all U.S. acquirers and merchants.
PDF 3.1MB
Jan 1, 2014
PCI SSC Resources for Merchants
What merchants need to know about the PCI Security Standards.
Jan 1, 2014
Visa's Global Registry of Service Providers
Looking for a validated Service Provider? Please review this list.
Jan 1, 2014
PCI SSC Data Security Standards Overview
The latest Payment Card Industry Data Security Standard.
Jan 1, 2014
Visa Modifies Processing for Split-Shipment Card-Absent Transactions
Modifications made to processing card-absent transactions containing multiple items for a single order.
PDF 1.1MB
Jan 1, 2014
Mitigating Large Merchant Data Breaches
Actionable items to help prevent merchant breaches.
PDF 4.38MB
Jan 1, 2014
Approved Scanning Vendor Companies
The PCI SSC certified Approved Scanning Vendor listing.
Jan 1, 2014
Payment Application Security Assessor Companies
The PCI SSC certified Payment Application Qualified Security Assessor listing.
Jan 1, 2014
PCI SSC List of PA-DSS Validated Payment Applications
Payment application validated by the PCI SSC.
Jan 1, 2014
PCI SSC Resources for Merchants
What merchants need to know about the PCI Security Standards.
Jan 1, 2014
PCI SSC Data Security Standards Overview
The latest Payment Card Industry Data Security Standard.
Jan 1, 2014
Qualified Security Assessor List
The PCI SSC certified Qualified Security Assessor listing.
Jan 1, 2014
Reducing Counterfeit Fraud Through Acceptance Best Practices
Proper card acceptance procedures can minimize counterfeit fraud transactions.
PDF 3MB
Jan 1, 2014
Skimming is a Scam
A one-page guide that explains what card skimming is, how to spot it, and what to do in response.
PDF 225KB
Jan 1, 2014
PCI Forensic Investigator (PFI) Program
The PCI SSC certified PCI Forensic Investigator listing.
Nov 14, 2013
Skimming and Fraud Protection for Petroleum Merchants
Data security and fraud protection best practices for petroleum merchants.
PDF 2.02MB
Oct 16, 2013
Strengthening Processor Security
Best practices for securing cardholder data in a processing environment.
PDF 984KB
Sep 18, 2013
Encryption and Tokenization: Protecting Customer Data
A primer on the secure technologies, encryption and tokenization.
PDF 1.71MB
Aug 28, 2013
Mitigating Large Merchant Breaches and Leveraging Technology to Secure the Future
Preventing merchant breaches and secure technology options.
PDF 638KB
Aug 1, 2013
Retail Merchants Targeted by Memory-Parsing Malware - UPDATE
Updated alert involving memory-parsing malware.
PDF 48KB
May 6, 2013
Maximize Point-of-Sale PIN-Entry Device Security
Retire all pre-PCI attended POS PEDs by 31 December 2014.
PDF 428KB
Apr 24, 2013
Payment Processing Threats Impacting Grocery Store Merchants
An in-depth look on data security threats targeting grocery store merchants.
PDF 580KB
Apr 11, 2013
Preventing Memory-Parsing Malware Attacks on Grocery Merchants
Memory-parsing malware targeting Point-of-Sales and back-of-house systems
PDF 331KB
Apr 1, 2013
Visa Sets U.S. Acquirer Processor Mandate for Chip Transaction Processing
This document outlines changes to the dispute resolution rules concerning compelling evidence. The changes will be effective 17 October 2015.
PDF 29KB
Mar 14, 2013
Digital Wallet Guidelines for Merchants
Integration guidance for merchants utilizing digital wallets.
PDF 44KB
Feb 13, 2013
Merchant PIN Security Compromise Trends and Best Practices (English)
English language presentation on PIN focused hacker attacks.
PDF 1.25MB
Feb 12, 2013
Merchant PIN Security Compromise Trends and Best Practices (Spanish)
Spanish language presentation on PIN focused hacker attacks.
PDF 1.67MB
Feb 6, 2013
Visa Data Security Program - Keeping Cardholder Data Safe
Outline of Visa's data security compliance programs.
PDF 56KB
Feb 5, 2013
Protect Your Merchant Terminals From Illegal Tampering
Keep your Point-of-Sale terminals safe from fraudsters.
PDF 768KB
Jan 1, 2013
Minimum Transaction Amount on a Visa Credit Card
Information to review before setting minimum transaction amounts on Visa card payments, with best practices for sales staff.
PDF 291KB
Jan 1, 2013
Mobile Evolution Securing the Next Wave of Payment Innovation – Hospitality Upgrade
Best practices for hoteliers considering accepting mobile payments.
PDF 1.15MB
Jan 1, 2013
Play It Smart with U.S. Chip Payment Transactions
Chip card acceptance for hotel, car rental, and restaurant merchants, with quick reference chart.
PDF 685KB
Jan 1, 2013
Security Options to Future-proof Merchant Investments – Hospitality Upgrade
Invest in secure technologies to future proof hospitality payment systems.
PDF 1.08MB
Jan 1, 2013
Visa Travelers Cheques Acceptance Guidelines
Guidelines for accepting Visa travelers cheques.
PDF 611KB
Jan 1, 2013
Common Payment Card Security Myths Dispelled – Hospitality Upgrade
Three common payment card misconceptions in the hospitality industry.
PDF 4.13MB
Jan 1, 2013
E-Commerce Merchants' Guide to Risk Management
Maintaining safe online transactions, including risk management, chargebacks, and fraud prevention advice.
PDF 4.1MB
Jan 1, 2013
Visa PIN Entry Device Requirements
Find out about Visa's PED program requirements
PDF 249KB
September 16, 2013
Dynamic Cardholder Verification Method Best Practices
This document provides guidance for issuers that plan to develop or use a third-party dynamic Cardholder Verification Method (CVM) service to authenticate their cardholders. Dynamic CVMs, such as One-Time Passcodes (OTP), are becoming more prevalent for on-line banking and e-commerce transactions as financial institutions aim to strengthen their customer authentication capabilities. Visa developed the following dynamic CVM best practices for issuers to consider and assess the security features of these solutions.
PDF 36 KB
August 24, 2012
Data Security Tips for Small e-Commerce Businesses
Visa Data Security: Tips and Tools for Small e-Commerce Businesses
PDF 1.7 MB
August 24, 2012
Data Security Tips for Retailers
Quick tips and security steps to ensure your customer’s information is safe.
PDF 102 KB
April 28, 2011
Visa Best Practices for Payment Application Integrators and Resellers
Recent data compromises have demonstrated the need for third party payment application integrators and resellers to maintain security processes that go beyond providing software that is compliant with the Payment Application Data Security Standard (PA-DSS).
Visa shares best practices to help defend against poor implementation, maintenance and support processes that have led to merchant and agent data compromises. Visa advises acquirers, merchants, agents and payment application vendors to contact their licensed integrators and resellers, and insist that these best practices be immediately adopted. Merchants and agents should also consider including these best practices as a condition of their service level agreements with third party integrators and resellers.
PDF 60 KB
March 31, 2011
Issuers’ Payment Card Industry Data Security Standard Frequently Asked Questions
This frequently asked questions (FAQ) document provides guidance for issuers and the ATM environment on Visa-specific programs that mandate compliance with Payment Card Industry (PCI) standards.
PDF 43KB
August 24, 2010
Visa Top 10 Best Practices for Payment Application Companies, Version 1.0
Recent payment card data compromises have demonstrated the critical need for payment application companies to maintain mature software processes for their customers that go beyond Payment Application Data Security Standard (PA-DSS) compliant software. Acquirers, merchants and agents should review Visa’s best practices and insist that their payment application vendors, integrators and resellers fully adopt these practices
PDF 60 KB
July 14, 2010
Visa Best Practices for Tokenization Version 1.0
In October 2009, Visa published the Visa Best Practices for Data Field Encryption to promote the proper encryption of sensitive card data that is transmitted, processed or stored by stakeholders throughout the payment system. As part of these best practices, Visa recommended that entities use tokens (such as a transaction ID or a surrogate value) to replace the Primary Account Number (PAN) for use in payment-related and ancillary business functions. Tokenization can be implemented in isolation or in concert with data field encryption to help merchants eliminate the need to store sensitive cardholder data after authorization. Entities that properly implement and execute a tokenization process to support their payment functions may be able to reduce the scope, risks and costs associated with ongoing compliance with the Payment Card Industry Data Security Standards (PCI DSS).
PDF 50 KB
July 14, 2010
Visa Best Practices for Primary Account Number Storage and Truncation
To reinforce its commitment to protecting consumers, merchants, and the overall payment system, Visa is pursuing a global security objective that will enable merchants to eliminate the storage of full PAN and expiration date information from their payment systems when not needed for specific business reasons. To ensure consistency in PAN truncation methods, Visa has developed a list of best practices to be used until any new global rules go into effect.
PDF 39 KB
June 16, 2010
Visa Introduces Corporate Franchise Servicer as a New Third Party Agent Category
Corporate Franchise Servicer entities operate in a number of merchant segments, including lodging and food service. In an effort to address the increasing threat of data compromises that affect franchise businesses, effective immediately, Visa will extend the Third Party Agent Program to include a new category of agents, called “Corporate Franchise Servicers.” Corporate Franchise Servicers (CFS) operates in a number of merchant segments, including food service and lodging. The inclusion of Corporate Franchise Servicer agents in the Visa Third Party Agent Program will help ensure that Corporate Franchise Servicer agents protect card data by at a minimum complying with the Payment Card Industry Data Security Standards (PCI DSS).
PDF 41 KB
June 11, 2010
Data Security Small Merchant Tips
Visa Data Security: Tips and Tools for Small Merchant Businesses
PDF 538 KB
October 5 , 2009
Visa Best Practices for Data Field Encryption
Visa shares best practices for data field encryption to protect cardholder data and sensitive authentication data.
PDF 52 KB
April 22, 2009
Primary Account Number Truncation on Cardholder Statements
It is common practice for some card issuers to print the full PAN on each page of a cardholder’s billing statement; however, Visa strongly recommends that, as a “best practice,” issuers truncate or eliminate the printing of the cardholder PAN on billing statements and other cardholder communications.
PDF 29 KB
February 10, 2009
Visa Issuer and Acquirer Payment Card Industry Data Security Standard Compliance
Visa Operating Regulations specify that all Visa clients, including issuers and acquirer financial institutions, must comply with the Payment Card Industry Data Security Standard (PCI DSS). This bulletin specifies the requirements and recommendations necessary for facilitating this compliance.
PDF 39 KB