Visa Cardholder Information Security Program

In this article we’ll be exploring Visa cards, specifically the “Visa Cardholder Information Security Program (CISP)” which over time evolved into the current PCI DSS standards. If you’re not familiar with PCI DSS, be sure to check out our article on PCI compliance.

Validate Your Compliance with PCI DSS with Visa

Visa provides a “level” to individual merchants based on certain factors. Basically, the number of Visa transactions passing through your business over a 12-month period tells you what level of Visa’s requirements you’ll need to meet.

Find out what you need to do in the table below. Links below the table also provide information on each requirement.

Visa CISP levels

Report on Compliance
Qualified Security Assessor
Attestation of Compliance
Self-Assessment Questionnaire
Approved Scan Vendor
* Level 4 Quarterly ASV Requirements

Regulations and Assessments

Visa has a set of rules that governs how client financial institutions (mainly banks) act. By extension, this also applies to businesses and service providers taking part in the Visa payment system.

Your bank is responsible for ensuring you and any service providers are PCI Data Security Standard compliant. Furthermore, Visa has its own core rules. You must be fully compliant at all times with sections #0002228 and #0008031 of the Visa Core Rules (VCR).

If you don’t comply with PCI DSS or you don’t fix a security issue, Visa may tell your acquirer that you are not compliant, which could result in a block on receiving credit card payments or having other penalties levied against you.

Payment Service Providers

You should only partner with approved service providers (processing companies.) Service providers process payments and deal with Visa cardholder information on your behalf. Your acquirer (generally a bank or financial institution) makes sure that authorized service providers comply with PCI DSS, but it’s important to know who you’re working with. Approved payment service providers will also have a disclaimer at the bottom of their website that states “[Name] is a registered ISO of [bank].”

For example, this image shows disclaimers from processors in the CardFellow marketplace.

ISO disclosures

If you don’t see the disclaimer on a company’s website, you may want to consider another company.

Taking Payment

You should only take payment using secure and validated payment applications and equipment. In order to accomplish that:

  • Equipment should meet Payment Application Data Security Standards.
  • Equipment (or staff) should not be saving or storing any sensitive cardholder information.

PIN transactions

If you take “Personal Identification Number (PIN)” transactions, you’ll need to comply with Visa’s PIN transaction rules, including offering secure PIN entry devices to customers who choose to enter PINs. Visa has a useful guide to those here.

Security Training

If you want to go one step further, you can get security training from Visa. In fact, the company provides training on data security trends, breaches, attacks, best practices, and the Visa compliance programs even for small businesses. You can get training through conferences, webinars, and training sessions, but it’s not required.

Useful Resources and Further Information

Leave a Comment

Your email address will not be published. Required fields are marked *