Credit Card Processing, Security and PCI Compliance

Visa Cardholder Information Security Program


April 06, 2020

As a business owner, it’s important to stay compliant when you’re accepting and processing credit card payments. In this article we’ll be exploring Visa cards, specifically the “Visa Cardholder Information Security Program (CISP).” We’ll break this down into easily understandable steps.

As with any cardholder security program, you will need to be fully compliant with PCI DSS. If you’re not already familiar with it, be sure to check out our article on PCI compliance.

Validate Your Compliance with PCI DSS with Visa

Visa provides a “level” to individual merchants based on certain factors. Basically, the number of Visa transactions passing through your business over a 12-month period tells you what level of Visa’s requirements you’ll need to meet.

Find out what you need to do in the table below. Links below the table also provide information on each requirement.

Visa CISP levels

Report on Compliance
Qualified Security Assessor
Attestation of Compliance
Self-Assessment Questionnaire
Approved Scan Vendor
* Level 4 Quarterly ASV Requirements

Regulations and Assessments

Visa has a set of rules that governs how client financial institutions (mainly banks) act. By extension, this also applies to businesses and service providers taking part in the Visa payment system.

Your bank is responsible for ensuring you and any service providers are PCI Data Security Standard compliant. Furthermore, Visa has its own core rules. You must be fully compliant at all times with sections #0002228 and #0008031 of the Visa Core Rules (VCR).

If you don’t comply with PCI DSS or you don’t fix a security issue, Visa may tell your acquirer that you are not compliant, which could result in a block on receiving credit card payments or having other penalties levied against you.

Payment Service Providers

You should only partner with approved service providers (processing companies.) Service providers process payments and deal with Visa cardholder information on your behalf. Your acquirer (generally a bank or financial institution) makes sure that authorized service providers comply with PCI DSS, but it’s important to know who you’re working with. Approved payment service providers will also have a disclaimer at the bottom of their website that states “[Name] is a registered ISO of [bank].”

For example, this image shows disclaimers from processors in the CardFellow marketplace.

ISO disclosures

If you don’t see the disclaimer on a company’s website, you may want to consider another company.

Taking Payment

You should only take payment using secure and validated payment applications and equipment. In order to accomplish that:

  • Equipment should meet Payment Application Data Security Standards.
  • Equipment (or staff) should not be saving or storing any sensitive cardholder information.

PIN transactions

If you take “Personal Identification Number (PIN)” transactions, you’ll need to comply with Visa’s PIN transaction rules, including offering secure PIN entry devices to customers who choose to enter PINs. Visa has a useful guide to those here.

Security Training

If you want to go one step further, you can get security training from Visa. In fact, the company provides training on data security trends, breaches, attacks, best practices, and the Visa compliance programs even for small businesses. You can get training through conferences, webinars, and training sessions, but it’s not required.

Useful Resources and Further Information

Ben Dwyer

BY Ben Dwyer

Ben Dwyer began his career in the processing industry in 2003 on the sales floor for a Connecticut‐based processor. As he learned more about the inner‐workings of the industry, rampant unethical practices, and lack of assistance available to businesses, he cut ties with his employer and started a blog where he could post accurate information about credit card processing. As the blog gained in popularity, Ben began directly assisting merchants in their search for a processor. Ben believes in empowering businesses by providing access to fair, competitive pricing, accurate information, and continued support. His dedication to transparency and education has made CardFellow a staunch small business advocate in the credit card processing industry.

Please join the conversation

Your email address will not be published.


Credit Card Processing exposed

Use the secrets that credit card processors don't want
you to know to drastically lower your credit card
processing fees.

Read Now!

You might also like…

American Express Data Security Operating Policy
Mastercard Location Fee

View all articles