Visa launched the Cardholder Information Security Program (CISP) in 2001, which was a rigorous set of security protocols that effectively held merchants, banks and credit card processors to the highest data security standards in order to protect valuable credit card information.
Acknowledging the program’s effectiveness, the entire industry adopted CISP in 2004, and it became known as the Payment Card Industry Data Security Standards (PCI DSS).
Four Levels of PCI Compliance
A four-level compliance classification system for merchants based on annual volume of transactions and potential risk is outlined by the PCI DSS. Merchants who accept Visa must adhere to the specific requirements for their merchant level under PCI DSS.
Visa continues to rigorously enforce the compliance validation initiatives that it began under CISP. If a merchant is out of PCI DSS compliance and suffers a data security breach, Visa may issue substantial fines to that merchant. (The fines may be waived, however, if a forensic audit does not discover evidence of noncompliance.)
Visa recommends that merchants maintain full compliance at all times in order to avoid fines and reduce the chance of a data security breach.
Recommendations on Improving Data Security
The 12 requirements of the PCI Data Security Standards help merchants maintain compliance and protect valuable cardholder information. Visa offers the following tips based on these requirements to improve data security.
- Ensure any Internet-ready credit card processing equipment — including computers, terminals or software — has appropriate firewalls properly installed and configured to prohibit all unauthorized traffic (Req. 1).
- Change all IDs and passwords from the defaults supplied by the vendor (Req. 2). Passwords that are unique and complex should be created for every employee who has access to your payment systems (Req. 8).
- Make sure all records of sensitive information (whether paper or electronic) including credit card numbers and expiration dates are destroyed or securely stored. (Req. 3 & Req. 9)
- Install anti-virus and anti-malware programs on any computer systems used for credit card processing and update these programs regularly (Req. 5).
- Be aware of everyone who has access to your sensitive systems, from employees to vendors, and be sure to track their network activity (Req. 10).
- Regularly scan your credit card processing systems for vulnerabilities by an Approved Scanning Vendor (ASV) (Req. 11).