In this article we’ll be exploring Visa cards, specifically the “Visa Cardholder Information Security Program (CISP)" which over time evolved into the current PCI DSS standards. If you're not familiar with PCI DSS, be sure to check out our article on PCI compliance.
Validate Your Compliance with PCI DSS with Visa
Visa provides a “level” to individual merchants based on certain factors. Basically, the number of Visa transactions passing through your business over a 12-month period tells you what level of Visa’s requirements you’ll need to meet. Find out what you need to do in the table below. Links below the table also provide information on each requirement.
Report on Compliance
Qualified Security Assessor
Attestation of Compliance
Self-Assessment Questionnaire
Approved Scan Vendor
* Level 4 Quarterly ASV Requirements
Regulations and Assessments
Visa has a set of rules that governs how client financial institutions (mainly banks) act. By extension, this also applies to businesses and service providers taking part in the Visa payment system. Your bank is responsible for ensuring you and any service providers are PCI Data Security Standard compliant. Furthermore, Visa has its own core rules. You must be fully compliant at all times with sections #0002228 and #0008031 of the Visa Core Rules (VCR). If you don’t comply with PCI DSS or you don’t fix a security issue, Visa may tell your acquirer that you are not compliant, which could result in a block on receiving credit card payments or having other penalties levied against you.Payment Service Providers
You should only partner with approved service providers (processing companies.) Service providers process payments and deal with Visa cardholder information on your behalf. Your acquirer (generally a bank or financial institution) makes sure that authorized service providers comply with PCI DSS, but it's important to know who you're working with. Approved payment service providers will also have a disclaimer at the bottom of their website that states “[Name] is a registered ISO of [bank].” For example, this image shows disclaimers from processors in the CardFellow marketplace.
If you don’t see the disclaimer on a company’s website, you may want to consider another company.
Taking Payment
You should only take payment using secure and validated payment applications and equipment. In order to accomplish that:- Equipment should meet Payment Application Data Security Standards.
- Equipment (or staff) should not be saving or storing any sensitive cardholder information.
PIN transactions
If you take “Personal Identification Number (PIN)” transactions, you’ll need to comply with Visa’s PIN transaction rules, including offering secure PIN entry devices to customers who choose to enter PINs. Visa has a useful guide to those here.Security Training
If you want to go one step further, you can get security training from Visa. In fact, the company provides training on data security trends, breaches, attacks, best practices, and the Visa compliance programs even for small businesses. You can get training through conferences, webinars, and training sessions, but it's not required.Useful Resources and Further Information
- Small merchant data security requirements.
- Find an Approved Scan Vendor.
- If your security might have been compromised.
Ben Dwyer began his career in the processing industry in 2003 on the sales floor for a Connecticut‐based processor. As he learned more about the inner‐workings of the industry, rampant unethical practices, and lack of assistance available to businesses, he cut ties with his employer and started a blog where he could post accurate information about credit card processing. As the blog gained in popularity, Ben began directly assisting merchants in their search for a processor. Ben believes in empowering businesses by providing access to fair, competitive pricing, accurate information, and continued support. His dedication to transparency and education has made CardFellow a staunch small business advocate in the credit card processing industry.
