Visa Cardholder Information Security Program
As a business owner, it’s important to stay compliant when you’re accepting and processing credit card payments. In this article we’ll be exploring Visa cards, specifically the “Visa Cardholder Information Security Program (CISP).” We’ll break this down into easily understandable steps.
As with any cardholder security program, you will need to be fully compliant with PCI DSS. If you’re not already familiar with it, be sure to check out our article on PCI compliance.
- Validate Your Compliance with PCI DSS with Visa
- Regulations and Assessments
- Payment Service Providers
- Taking Payment
- Security Training
- Useful Resources and Further Information
Validate Your Compliance with PCI DSS with Visa
Visa provides a “level” to individual merchants based on certain factors. The number of Visa transactions passing through your business over a 12-month period tells you what level of Visa’s requirements you’ll need to meet.
Find out what you need to do in the table below. Links below the table provide more information on each requirement.
Regulations and Assessments
Visa has a set of rules that governs how client financial institutions (mainly banks) act. By extension, this also applies to businesses and service providers taking part in the Visa payment system.
Your bank is responsible for ensuring you and any service providers are PCI Data Security Standard compliant. Additionally, Visa has its own core rules - You must be fully compliant at all times with sections #0002228 and #0008031 of the Visa Core Rules (VCR).
If you don’t comply with PCI DSS or you don’t fix a security issue, Visa may tell your acquirer that you are not compliant, which could result in a block on receiving credit card payments or having other penalties levied against you.
Payment Service Providers
You should only partner with approved service providers (processing companies.) Service providers process payments and deal with Visa cardholder information on your behalf. Your acquirer (generally a bank or financial institution) makes sure that authorized service providers comply with PCI DSS. Approved payment service providers will have a disclaimer at the bottom of their website that states “[Name] is a registered ISO of [bank]” as in this image of disclaimer examples from processors in the CardFellow marketplace.
If you don’t see the disclaimer on a company’s website, you may want to consider another company.
You should only take payment using secure and validated payment applications and equipment. This means:
- Equipment should meet Payment Application Data Security Standards.
- Equipment (or staff) should not be saving or storing any sensitive cardholder information.
If you take “Personal Identification Number (PIN)” transactions, you’ll need to comply with Visa’s PIN transaction rules, including offering secure PIN entry devices to customers who choose to enter PINs. Visa has a useful guide to those here.
If you want to go one step further, you can get security training from Visa. The company provides training on data security trends, breaches, attacks, best practices, and the Visa compliance programs. You can get training through conferences, webinars, and training sessions.
Useful Resources and Further Information
- Small merchant data security requirements.
- Find an Approved Scan Vendor.
- If your security might have been compromised.
Paul Maplesden is a writer specializing in business, finance, and technology. He finds research and writing about money deeply interesting.