|
Articles
10.04.2003
Visa Cardholder Information Security Program (CISP)
What is CISP and how does it effect merchants? A brief description provided by Visa and a Questionnaire to help verify compliance.
In April 2000, Visa announced the launch of its Cardholder Information Security Program (CISP). Approved in October 1999 and mandated May 1, 2001, the program was created specifically for merchants and service providers who process, store or transmit cardholder data.
What is CISP? The Visa U.S.A. Cardholder Information Security Program (CISP) defines a standard of due care and enforcement for protecting sensitive information. Because the payment industry places a high priority on maintaining the confidentiality and integrity of account and personal data, the CISP requirements are directed to all entities that store, process, or transmit cardholder information. The program ensures the annual validation of merchants and all service providers on both the Issuing and Acquiring side of the business. An important distinction to make about CISP is that it is not just focused on the e-commerce payment acceptance channel. To understand exactly what this means is to know first and foremost that any merchant or service provider who processes and/or stores cardholder data is vulnerable to compromise. All merchants and service providers are responsible for establishing appropriate internal and external controls. CISP is built upon: •An easy to remember list of 12 basic security requirements with which all Visa payment system constituents need to comply •More detailed sub-requirements, always tying back to the CISP requirements Merchants will verify CISP compliance through their Acquirer. Service Providers will verify CISP compliance directly with Visa. Plans for CISP enhancement include the release of the Automated Validation Program to the remainder of the merchant community, and definition of a specific program to ensure secure development of applications. As wireless presents a significant unknown in a rapidly growing marketplace, immediate plans include a campaign to focus awareness on security "best practices" for the wireless environment. The CISP Requirements 1. Install and maintain a working firewall to protect data 2. Keep security patches up-to-date 3. Protect stored data 4. Encrypt data sent across public networks 5. Use and regularly update anti-virus software 6. Restrict access by "need to know" 7. Assign unique ID to each person with computer access 8. Don't use vendor-supplied defaults for passwords and security parameters 9. Track all access to data by unique ID 10. Regularly test security systems and processes 11. Implement and maintain an information security policy 12. Restrict physical access to data How CISP Works CISP currently applies to any entity (meaning Merchant or Service Provider) that stores, processes or transmits Visa cardholder information. All eligible Merchants and Service Providers—regardless of size – or in the case of service providers – whether they support Issuing or Acquring activity—must comply with the 12 basic CISP requirements. Compliance actions, however, are scaled to a level of risk that is based on the number of accounts stored or processed. •For Select Merchants and Service Providers compliance verification and monitoring occur through annual on-site reviews. •For other than Select Merchants compliance verification occurs through completion of an online self-assessment and regular confidential vulnerability scans. CISP assessment and verification takes place at the participating Merchant or Service Provider’s expense. Length of time and cost of compliance depend on the extent to which the merchant or service provider is already in compliance. If an entity refuses to participate, Visa may impose a fine on the Member sponsoring or using the service provider. Ultimately, merchants and their service providers must meet the CISP requirements to continue to accept Visa Payment products. CISP compliance also includes expedited validation for compromised entities. If a merchant or service provider knows or suspects a security breach, their Acquirer must be notified immediately. The entity will then go through the program to identify and remediate the source of the compromise. CISP Groups Defined Visa's CISP requirements apply to all Merchants and Service Providers, regardless of size. They are, however, designed to be scalable to a level of risk that is based on the number of accounts stored, processed or transmitted. Under Visa's CISP, compliance validation standards also apply to product vendors and compromised entities. Currently, there are five distinct groups of CISP participants. Why Comply? CISP was mandated by the Visa U.S.A. Board of Directors in October 1999 and has been supported by ever-expanding Operating Regulations since that time. The CISP requirements help Visa Members, merchants, and service providers protect their information assets and meet the obligations to the Visa payment structure. •Consumers Want Security Recent media reports of hacker incidences, stolen credit card numbers, and identity theft has triggered – for consumers – a very serious concern about information security. Today, consumers want absolute assurance from the businesses they are dealing with that their bankcard account and other personal identifiable information is safe. •Minimized Threat to Reputation and Financial Position Financial and resource outlay is minimal compared to the costs associated with the reactive hiring of security and public relations specialists, or the loss of significant revenue and goodwill that can result from a compromise. Visa Regulations The Visa U.S.A. Operating Regulations govern the activities of Member financial institutions and, by extension, merchants and service providers as participants in the Visa payment system. The requirements below are extracted in "plain language" to help clarify the intent of the more formal document. Where there may be any difference of interpretation between the Operating Regulations and the plain language below, the Visa U.S.A. Operating Regulations take precedence. These references are consistent with Operating Regulations published in Nov 2002. •CISP Compliance A Member must comply, and ensure that its merchants or service providers comply, with the CISP requirements. Acquirers must include a CISP compliance provision in all contracts with merchants and nonmember agents. •Disclosure of Cardholder Information Issuers, Acquirers, and Merchants may only disclose Visa transaction information to service providers approved by Visa. - supporting a loyalty program; or - providing fraud control services. To receive Visa approval, a service provider must comply with the CISP requirements. Additionally, a Member that discloses, or allows its Merchants to disclose, Visa transaction information to a third party that has not demonstrated CISP compliance is subject to the program fines and penalties. •CISP Compliance Penalties Failure to comply with CISP standards or to rectify a security issue may result in fines, restrictions on the merchant; or permanent prohibition of the merchant or service provider’s participation in Visa programs. •Loss or Theft of Account Information A Member, a Member's service provider, or a merchant or its service provider must immediately report the suspected or confirmed loss or theft, including a loss or theft by one of the Member or merchant's service providers, of any material or records that contain personally identifiable information. If a Visa Member fails to immediately notify Visa U.S.A. Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the Member is subject to a penalty of $100,000 per incident. Contact Information For more information about the Visa CISP, contact Visa via e-mail at AskVisaUSA@Visa.com or visit their CISP dedicated website at: http://www.usa.visa.com/business/merchants/cisp_index.html#b
Download file: Visa Cardholder Information Security Program (CISP)
(20.pdf / 50kb)
Source: Visa USA
/
www.usa.visa.com
|
|
