Summary of Requirements
VISA CISP requires member service providers to protect cardholder information by maintaining secure transactions. By June 2005, all online merchants processing more than 20,000 transactions per year are to provide a quarterly compliance questionnaire. Failure to this will result in fines, restrictions or permanent expulsion from card acceptance programs.
Visa has condensed the material in this standard. These condensed requirements are use as the check points for complying with the standards.
The following is the summary of Visa's requirements for keeping Account and Transaction Information secure:
- Establish a hiring policy for staff and contractors.
- Restrict access to data on a "need to know" basis.
- Assign each person a unique ID to be validated when accessing data.
- Track access to data, including read access by each person.
- Install and maintain a network firewall, if there is a need to access data via the Internet.
- Encrypt data maintained on databases or files, which can be accessible from the Internet.
- Encrypt data sent across networks.
- Protect systems and data from viruses.
- Keep security patches for software up-to-date.
- Don't use vendor-supplied defaults for system passwords and other security parameters.
- Don't leave papers/diskettes/computers (data) unsecured.
- Securely destroy data when it's no longer needed for business reasons.
- Regularly test security systems and procedures.
- Immediately, investigate and report to Visa about any suspected loss of Account or Transaction information.
Use only service providers, which meet these security standards
- Members must limit physical and logical access to Account and Transaction.
- Members, agents and merchants must implement controls to prevent the unauthorized reading, changing or destruction of Account and Transaction Information.
- Members, agents and merchants must protect Account and Transaction Information in all forms, whether it is stored on a computer system or removable media, transmitted on a network, displayed on a computer screen or is in printed form.
Members, agents and merchants must destroy Account and Transaction Information that is no longer needed to satisfy Visa transaction processing, local law and risk management requirements, so that unauthorized access to the information does not occur.
- Members, agents and merchants must transmit Account and Transaction Information in a secure electronic manner. If it cannot be transmitted electronically, any other form of transmission must be secure (for example, secured courier or magnetic tapes)
- Members, agents and merchants must use appropriate authentication mechanisms to validate access to Account and Transaction Information.
i. They must require appropriate authentication mechanisms (for example, security badges) for access to premises where Account and transaction Information security is stored or processed.
ii. Members, agents and merchants must also require appropriate authentication mechanisms (for example, passwords, digital certificates, and so on) for logical access to Account and Transaction Information
- Members, agents and merchants must create an audit log that identifies the following:
i. Who has accessed Account and Transaction Information?
ii. When the access started
ii. When the access ended
iv. What information was accessed?
- Members, agents and merchants must have and implement a human resource policy, which appropriately addresses information security considerations for employees, contract workers and temporary workers.
- Members, agents and merchants must divide critical Account and Transaction Information security functions so that no single individual can subvert the integrity of systems or procedures that protect Account and Transaction Information.
- Members, agents and merchants must adopt, publish, and implement appropriate procedures to define a methodology that prevents the transmission or other delivery of Account and Transaction Information to any organization that has used Account and Transaction Information for recent fraudulent activity or has been involved with material recent criminal activity.
- Members, agents and merchants must adopt, publish, and implement appropriate procedures to define a methodology that identifies unauthorized access, including read access, to Account and Transaction Information. Where such unauthorized access is discovered, Members must investigate the incident and prepare an analysis that will be used for corrective actions taken in a timely manner and retained for audit purposes. The Member Fraud Control Manual includes procedures for investigating actual or potential unauthorized access to Account and Transaction Information.
- A merchant must not disclose or remit Account and Transaction Information to third parties other than the acquirer or the acquirer's designated agent.
- To inspect and monitor their agents and merchants to ensure they maintain appropriate security standards and procedures regarding the unauthorized disclosure of Account and Transaction Information and to annually monitor and conduct appropriate inspections. Alternately, Members can use the services of agents whose security has been certified by Visa.
- To annually inspect or revalidate the corrective plans of organizations that are classified as high risk until the organization is no longer classified as high risk.
- To perform annual information security self-audits. The corporate officer responsible for the Member's auditing function must provide Visa with a certificate attesting that the Member conducted the self-audit and is in compliance with these Visa standards, including proper enforcement of its agents' and merchants' compliance with the applicable Account Information Security Standards.
- To include in the annual certification a list of all agents and merchants that are not in compliance with the Account Information Security Standards and their respective status that includes a summary of corrective actions, taken or planned, of any agent or merchant that does not currently comply with these standards. The Member must accept all liability for all of its agents and merchants.
- To protect and indemnify Visa and its Members from all liability that may arise through or by the actions or omissions of any of its agents and merchants.
Secure Auditor™ will go a long way in meeting the requirements set forth by visa especially in running periodic tests on different operational systems to explore vulnerabilities and mitigating risk by implementing solutions and making reports of tests conducted which is an essential requirement of visa compliance.