Visa Credit Card Compliance
As a merchant, you’ve heard a lot about PCI compliance and the PCI Data Security Standards. Compliance is vital to keeping credit card and cardholder information safe, but it is a relatively new concept. The data security standards that now govern how credit cards are processed began not long ago as a rigorous set of security protocols within the Visa Corporation.
CISP and PCI Compliance
The Cardholder Information Security Program (CISP) was originally instituted by Visa to protect valuable credit card information by holding merchants, banks and credit card processors to the highest data security standards. The program was so effective that it was adopted by the entire industry and is now known as the Payment Card Industry Data Security Standards (PCI DSS). Soon after, the five major credit card companies (Visa, MasterCard, Discover, American Express and JCB International) established a governing body to oversee these standards, and the PCI Security Standards Council (PCI SSC) was born.
The birth of compliance
Visa launches Cardholder Information Security Program (CISP)
CISP becomes the PCI Data Security Standards
The five major credit card companies create the PCI Security Standards Council
Visa continues to rigorously enforce the compliance validation initiatives that it began under CISP. The PCI DSS delineates a four-level compliance classification system for merchants based on annual volume of transactions and potential risk. Merchants who accept Visa must adhere to the specific requirements for their merchant level under PCI DSS. Learn more about the four levels of PCI Compliance.
If a merchant is out of compliance with the data security standards and suffers a data security breach, Visa may issue substantial fines to that merchant. The fines may be waived, however, if a forensic audit does not discover evidence of noncompliance. Visa recommends that merchants maintain full compliance at all times in order to avoid fines and reduce the chance of a data security breach.
Tips for improving data security
Visa has created a list of recommendations to help merchants maintain compliance and protect valuable cardholder information, based on the 12 requirements of the PCI Data Security Standards.
Make sure that any Internet-ready credit card processing equipment (computer, terminal or software) has appropriate firewalls properly installed and configured to prohibit all unauthorized traffic (Req. 1).
Install anti-virus and anti-malware programs on any computer systems used for credit card processing, and update these programs regularly (Req. 5).
Create unique and complex passwords for every employee who has access to your payment systems (Req. 8), and change all IDs and passwords from the defaults supplied by the vendor (Req. 2).
Be aware of everyone who has access to your sensitive systems, from employees to vendors, and be sure to track their network activity (Req. 10).
Ensure that all records of sensitive information (including credit card numbers and expiration dates), whether paper or electronic, are either destroyed or securely stored (Reqs. 3 & 9).
Make sure your credit card processing systems are regularly scanned for vulnerabilities by an approved scanning vendor (Req. 11).