12 steps to keep your business safe

Providing customers with a safe, reliable transactions network is a priority your business shares with the entire global payments industry. The threat of data piracy is real, and simple procedures can and must be taken to anticipate it — and to spot crimes quickly when thieves momentarily succeed.

To help, Visa joined with other founding members of the PCS Security Standards Council to create the Payment Card Industry Data Security Standard, an industry standard for companies worldwide. All Visa acquirers and issuers must comply with the Standard, and also ensure that their merchants and service providers — everyone storing, processing, or transmitting Visa account numbers — do the same.

Following these 12 steps will ensure transactions are conducted with confidence and ease, worldwide.

If your system is compromised

Act swiftly if a security breach occurs. Notify Visa, investigate, and report what you learn. Our online guide can assist clients, merchants, and service providers through every step of the process. Go to www.visa.com/cisp to learn more.

For more information

More detailed information on Visa’s security compliance program is available at www.visa.com/cisp. Learn about complying with the Standard, validation requirements, PIN security and key management, and more. Plus, stay current with data security by accessing alerts, bulletins, and webinars.

Payment Card Industry Data Security Standard (PCI DSS)

Commit to these steps in order to ensure compliance with the industry’s recommended practices.

Build and maintain a secure network

1. Install and maintain a firewall configuration to protect data.

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect cardholder data

3. Protect stored cardholder data.

4. Encrypt transmission of cardholder data and sensitive information across open public networks.

Maintain a vulnerability management

5. Use and regularly update anti-virus software.

6. Develop and maintain secure systems and applications.

Implement strong access control measures

7. Restrict access to data by business need-to-know.

8. Assign a unique ID to each person with computer access.

9. Restrict physical access to cardholder data.

Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data.

11. Regularly test security systems and processes.

Maintain an information security policy

12. Maintain a policy that addresses information security.

Validating your compliance

Validation with PCI DSS is highly important. It certifies that cardholder data is being safely handled at your location and reveals any weaknesses to be addressed.

Visa has created four validation levels tied to transaction volume and the level of risk posed, each requiring different steps. Level 1 is the highest.

Businesses validate their compliance either through an Annual On-Site Security Assessment or an Annual Self-Assessment Questionnaire. Both also require a Network Vulnerability Scan to be conducted once every quarter, if it is applicable.

Effective 1 October 2012, Visa’s Technology Innovation Program (TIP) rewards U.S. merchants that have invested in EMV technology by eliminating the PCI DSS validation requirement for any year in which at least 75 percent of the eligible merchant’s Visa transactions originate from dualinterface EMV chip-enabled terminals. Learn more at visa.com/cisp.

For acquirers and issuers

At a minimum, acquirers are responsible for ensuring that their merchants comply with PCI DSS, and receive appropriate validation. Issuers need to join with them to make sure that Third Party Agents — as well as those used by their merchants — are registered with Visa and complying with the Standard.

Visa acquirers and issuers must also register all Third Party Agents with Visa. Registration of Third Party Agents can be accomplished through the Visa Membership Management application (VMM), which is accessible through Visa Online (www.us.visaonline.com).

For merchants

The number of steps necessary for validation is determined by a merchant’s total transaction volume over a 12-month period. Use this chart to determine your level.

MERCHANT LEVELDESCRIPTION
1Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region.
2Merchants processing 1 million to 6 million Visa transactions annually (all channels).
3Merchants processing 20,000 to 1 million Visa e-commerce transactions annually.
4Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually.

For service providers

Service providers that store, process, or transmit cardholder data on behalf of acquirers, issuers, and merchants are categorized into one of two levels, defined by their number of annual Visa transactions. Those grouped in Level 1 — signifying 300,000 or more such transactions — are listed on Visa’s Global Registry of Service Providers. Level 2 providers can join the list by undergoing a Level 1 Annual Onsite Security Assessment.

SERVICE PROVIDER LEVELDESCRIPTIONPOSTED ON VISA’S GLOBAL REGISTRY OF SERVICE PROVIDERS
1VisaNet® processors or any service provider that stores, processes, and/or transmits over 300,000 Visa transactions annually.YES
2Any service provider that stores, processes, and/or transmits less than 300,000 Visa transactions annually.NO*
Level 2 service providers may choose to validate as a Level 1 service provider in order to be listed on Visa’s Global Registry of Service Providers.

Another way to keep data safe

The PCI Payment Application Data Security Standard (PA-DSS) applies to payment application vendors. It is intended to lessen the risk of security breaches in payment applications, prevent storage of sensitive authentication data (i.e., full magnetic-stripe data, CVV2, and PIN data), and support overall compliance with PCI DSS.

Visa’s policies are intended to support these standards by ensuring our merchants and service providers do not use payment applications that retain data, thereby making it easier to steal. For those doing business with Visa, that means using applications found to comply with this important data standard. To learn more about what is required, go to www.visa.com/cisp.

Secure technologies such as point-to-point encryption and tokenization, when implemented in accordance with the PCI DSS, may help simplify PCI DSS compliance. Go to www.pcissc.org for guidelines on these technologies.

  COMPLIANCE ACTIONSVALIDATION ACTIONS
GROUPLEVELCOMPLY WITH PCI DSSON-SITE SECURITY ASSESSMENTSELF-ASSESSMENT QUESTIONNAIRENETWORK SCAN**
Merchant1RequiredRequired Annually Required Quarterly
 2 & 3Required Required AnnuallyRequired Quarterly
 4*Required Recommended AnnuallyRequired Quarterly
Service Providers1RequiredRequired Annually Required Quarterly
Service Providers2Required Required AnnuallyRequired Quarterly
*Validation requirements are determined by the merchant’s acquirer.
**Network scanning is applicable to any internet facing system.