The PCI/CISP Requirements
A defined list of 12 basic security requirements with which all Merchants must comply and detailed sub-requirements, which tie back to the basic requirements
- Install and maintain a working firewall to protect data
- Keep security patches up-to-date
- Protect stored data
- Encrypt data sent across public networks
- Use and regularly update anti-virus software
- Restrict access by "need to know"
- Assign unique ID to each person with computer access
- Don't use vendor-supplied defaults for passwords and security parameters
- Track all access to data by unique ID
- Regularly test security systems and processes
- Implement and maintain an information security policy
- Restrict physical access to data
How CISP Works
Merchants are responsible for ensuring that their merchants use, service providers that are CISP-compliant. Visa may impose a fine on non-compliant merchants and in sever cases bar the merchant from accepting Visa Credit Cards.
Merchants receive protection from fines in the event of a data compromise when their merchant service provider is found to be CISP-compliant at the time of the security breach. Merchants are, however, subject to fines—up to $500,000 per incident—if they are not CISP compliant at the time of the breach.
CISP Groups Defined
Merchant Level |
Selection Criteria |
Must submit Compliance documentation by: |
1 |
More than 6 million Visa transactions processed annually |
September 30, 2004 |
2 |
500 thousand to 6 million Visa transactions processed annually |
June 30, 2005 |
3 |
Less than 500 thousand Visa transactions processed annually |
TBD by Member |
Why Comply?
Visa will fine or disbar a merchant whose cardholder data is compromised and is later found not to be in compliance with CISP.
Consumers Want Security
Recent media reports of hacker incidences, stolen credit card numbers, and identity theft have triggered, for consumers, a serious concern about information security among consumers. Today, consumers want absolute assurance from businesses that their credit card numbers and other personal information is secure.
Minimized Threat to Reputation and Financial Position
The financial penalties and resource outlay is minimal compared to the loss of significant revenue and goodwill that can result from having customers personal information stolen.
Disclosure of Cardholder Information
Merchants may only disclose Visa transaction information to service providers approved by Visa.
CISP Compliance Penalties
Failure to comply with CISP standards or to rectify a security issue may result in:
- Restrictions on the merchant; or
- Permanent prohibition of the merchant or service provider's participation in Visa programs.
The following fines apply for non-compliance, within a rolling 12-month period:
First violation |
$50,000 |
Second violation |
$100,000 |
Third violation |
Management discretion |
Loss or Theft of Account Information
Merchants must immediately report the suspected or confirmed loss or theft, including a loss or theft by one of the Member or merchant's service providers, of any material or records that contain personal identity and financial information. Failure to report a theft of account information may result in severe fines from $100,000.00-$500,000.00
|
