Overview
Customers who pay using a Visa payment card
want and deserve assurance that their account information is
safe.
That is why Visa Europe instituted the Payment System Risk (PSR)
programme - formerly the Account Information Security (AIS)
programme. PSR protects Visa cardholder data wherever it resides –
ensuring that members, merchants and service providers maintain the
highest information security standards.
In 2004 the PSR requirements were incorporated into an industry
standard known as Payment Card Industry Data Security Standard (PCI
DSS), the result of a cooperative effort between Visa and
MasterCard to create common industry security requirements.
The PCI Security Standards Council (PCI SSC) was established on
September 7 2006. It owns, maintains and distributes the PCI DSS
and , as well as standards for software security and PIN-entry
devices. Visa Europe, however, continues to manage all data
security compliance enforcement and validation initiatives for
Visa- issued cards within the European market.
PCI DSS compliance
PCI DSS compliance is required of all entities that store,
process or transmit Visa cardholder data, including financial
institutions, merchants and service providers. The PCI DSS applies
to all payment channels, including retail (brick-and-mortar),
e-commerce and mail or telephone order. Visa Europe’s compliance
programmes manage compliance with the PCI DSS with the required
programme validation.
The PCI DSS offers a comprehensive approach to safeguarding
sensitive data for all card brands. It consists of 12 basic
requirements, categorised as follows:
|
PCI Data Security Standard
|
|
Build and Maintain a Secure Network
|
1 Install and maintain a firewall configuration to
protect data
2 Do not use vendor-supplied defaults for system passwords
and other security parameters
|
|
Protect Cardholder Data
|
3 Protect stored data
4 Encrypt transmission of cardholder data and sensitive
information across public networks
|
|
Maintain a Vulnerability Management Program
|
5 Use and regularly update anti-virus software
6 Develop and maintain secure systems and applications
|
|
Implement Strong Access Control Measures
|
7 Restrict access to data by business need-to-know
8 Assign a unique ID to each person with computer
access
9 Restrict physical access to cardholder data
|
|
Regularly Monitor and Test Networks
|
10 Track and monitor all access to network resources and
cardholder data
11 Regularly test security systems and processes
|
|
Maintain an Information Security Policy
|
12 Maintain a policy that addresses information
security
|
By complying with the PCI DSS, Visa members, merchants and
service providers not only meet their obligations to the payment
system, but also build a culture of security that benefits
everyone.
Visit the PCI Security
Standards Council website for more information.
Compliance validation
Separate and distinct from the mandate to comply with the PCI
DSS is the need for entities to verify and demonstrate their
compliance status. It's a fundamental and critical function that
identifies and corrects vulnerabilities and protects customers by
ensuring that appropriate levels of cardholder information security
are maintained.
Visa Europe has prioritised and defined levels of compliance
validation based on the volume of transactions and the potential
risk and exposure introduced into the payment system by merchants
and service providers.
More information