Cardholder Information Security Program

Visa has established the Cardholder Information Security Program (CISP) to define standards for protecting sensitive information. CISP compliance is mandatory for all merchants that accept Visa credit cards and for merchant services companies that provide payment processing services. There are twelve basic CISP requirements that merchants and service providers have to meet. By demanding compliance with all of these requirements, Visa ensures that if one of them fails, there are other walls left to protect the sensitive information from unauthorized use. CISP requires that merchants:

1. Install and maintain a functioning firewall to protect personal data.
2. Regularly install security updates.
3. Protect stored data.
4. Encrypt cardholder and other sensitive information when transmitted across public networks.
5. Install and regularly update anti-virus software or programs.
6. Restrict internal access to cardholder account data on a "need-to-know" basis.
7. Assign a unique user ID to each person with computer access to sensitive data.
8. Do not use vendor-supplied default settings for system passwords and other security parameters.
9. Track access to data by unique user ID.
10. Regularly test security systems and processes.
11. Establish and maintain information security requirements for employees and contractors.
12. Restrict physical access to cardholder information.

The above CISP requirements apply to any merchant or payment processing service provider that stores, processes, or transmits Visa cardholder information. All eligible merchants and card processing service providers, regardless of size (or in the case of service providers, whether they support issuing or merchant activity) must comply with the twelve basic CISP requirements.