Cardholder Information Security Program (CISP) – Visa USA Mandate

Since June 2001, the Visa U.S.A. Inc. has required that a Member comply and ensure its merchants and agents comply with the requirements of the Cardholder Information Security Program (CISP). To broaden adoption and hasten implementation of cardholder information security, Visa has redefined the processes for validating CISP compliance of merchants and third party agents.

Level 1 Service Providers

The Level 1 Service Provider group includes all VisaNet Processors (Member and Nonmember) and all payment gateways. Level 1 Service Providers must validate CISP compliance with an annual onsite review, resulting in a Report on Compliance. A Visa-approved, independent security assessor according to the Security Audit Procedures and Reporting document must conduct this review. Additionally, a quarterly system perimeter scan must be performed by a Visa-approved security assessor. Level 1 Service Providers should have already begun CISP compliance validation and must submit current compliance documentation to Visa, demonstrating full compliance, by September 30, 2004. Required documentation includes the annual Report on Compliance and quarterly System Perimeter Scan Report. After a Level 1 Service Provider has provided compliance documentation demonstrating full compliance, they will be included on the list of CISP-Compliant Service Providers.

Level 2 and Level 3 Service Providers

The Level 2 and Level 3 Service Provider group includes any service provider (example, Third-Party Servicer (TPS), Independent Sales Organizations (ISO), merchant vendor, Web hosting company or shopping cart, media back-up company, Loyalty program vendor, Risk management vendor, chargeback vendor, and credit bureau) that is not in Level 1 and stores, processes, or transmits Visa transactions. The number of transactions will be determined based on the gross number of Visa transactions stored, processed, or transmitted—not just for the merchant or Member supported but for all entities supported by a service provider.

Level 2 Service Providers (more than one million Visa transactions annually)

Level 2 Service Providers must validate CISP compliance in the same manner as Level 1 Service Providers, demonstrating full compliance, by September 30, 2004. After a Level 2 Service Provider has provided compliance documentation demonstrating full compliance, they will be included on the list of CISP-Compliant Service Providers.

Level 3 Service Providers (less than one million Visa transactions annually)

Level 3 Service Providers must submit compliance documentation to Visa demonstrating full compliance, by September 30, 2004. Required documentation includes the annual Compliance Questionnaire and quarterly System Perimeter Scan Report. After a Level 3 Service Provider has provided compliance documentation demonstrating full compliance, they will be included on the list of CISP-Compliant Service Providers.

CISP Compliance Validation Summary

The following is a summary of the compliance validation steps required for third parties (including ISOs, loyalty, etc.) that store cardholder data.

Level Selection Criteria

• All VisaNet Processors (Member and Nonmember)
• All payment gateways
• Any service provider that is not in Level 1 and stores, processes, or transmits more than one million Visa accounts annually.
• Any service provider that is not in Level 1 and stores, processes, or transmits less than one million Visa accounts annually.

CISP Compliance Validation Summary
The following is a summary of the compliance validation steps required for merchants that store data.

Merchant Level Selection Criteria

1. More than 6 million Visa transactions processed annually
2. 500 thousand to 6 million Visa transactions processed annually
3. Less than 500 thousand Visa transactions processed annually

Terms and Definitions

Annual Compliance Questionnaire: Required for Level 3 Third Parties and Level 2 (and Level 3) merchant to determine adherence to the Digital Dozen on the basis of a self-assessment questionnaire. Merchants must also undergo at least quarterly a System Perimeter Scan performed by a Visa approved security assessor.

Annual Report on Compliance (ROC): Independent security assessors review adherence to the Digital Dozen. Visa approved assessors can be found at the CISP Web site (www.visa.com/cisp). Required for Level 1, and 2 Third Parties and Level 1 merchants. Visa will accept the Report on Compliance from a merchant’s internal auditor, provided that a letter signed by an executive-level officer of the merchant accompanies the report.

System Perimeter Scan: Independent security assessors perform a system perimeter scan is performed at least quarterly. A system perimeter scan involves an automated tool that checks third party or merchant’s systems for vulnerabilities. This applies to all third parties and merchants with external-facing Internet protocol (IP) addresses. Even if a third party or merchant does not offer Web-based transactions, there are other services such as e-mail and employee Internet access that will result in the Internet-accessibility of a company’s network. The tool will conduct a non-intrusive scan to remotely review networks and Web applications based on the external facing IP addresses provided by the merchant.

To view information on this topic from VISA, click here.

Back to Industry Initiatives