PCI Compliance / Website Security

PCI Compliance defines the standard for securing VISA® and MasterCard cardholder data, wherever it is located. Compliance is required of all entities storing, processing, or transmitting cardholder data. Acquiring Banks must comply with PCI and are responsible for ensuring the compliance of their merchants for all payment channels, including retail (brick-and-mortar), mail/telephone-order, and ecommerce.

Click here for Demo of the PCI ToolKit Wizard.

PCI Compliance Requirements

A defined list of 12 basic security requirements with which all Merchants must comply and detailed sub-requirements, which tie back to the basic requirements

1. Install and maintain a working firewall to protect data
2. Keep security patches up-to-date
3. Protect stored data
4. Encrypt data sent across public networks
5. Use and regularly update anti-virus software
6. Restrict access by "need to know"
7. Assign unique ID to each person with computer access
8. Don't use vendor-supplied defaults for passwords and security parameters
9. Track all access to data by unique ID
10. Regularly test security systems and processes
11. Implement and maintain an information security policy
12. Restrict physical access to data

How CISP Works

Merchants are responsible for ensuring that their merchants use, service providers that are CISP-compliant. VISA® may impose a fine on non-compliant merchants and in sever cases bar the merchant from accepting VISA® Credit Cards.

Merchants receive protection from fines in the event of a data compromise when their merchant service provider is found to be CISP-compliant at the time of the security breach. Merchants are, however, subject to fines—up to $500,000 per incident—if they are not CISP compliant at the time of the breach.

CISP Groups Defined

Why Comply?

VISA® will fine or disbar a merchant whose cardholder data is compromised and is later found not to be in compliance with CISP.

Consumers Want Security

Recent media reports of hacker incidences, stolen credit card numbers, and identity theft have triggered, for consumers, a serious concern about information security among consumers. Today, consumers want absolute assurance from businesses that their credit card numbers and other personal information is secure.

Minimized Threat to Reputation and Financial Position

The financial penalties and resource outlay is minimal compared to the loss of significant revenue and goodwill that can result from having customers personal information stolen.

Disclosure of Cardholder Information

Merchants may only disclose VISA® transaction information to service providers approved by VISA®.

CISP Compliance Penalties

Failure to comply with CISP standards or to rectify a security issue may result in:

• Fines (described below)

• Restrictions on the merchant; or

• Permanent prohibition of the merchant or service provider's participation in VISA® programs.

The following fines apply for non-compliance, within a rolling 12-month period:

Loss or Theft of Account Information

Merchants must immediately report the suspected or confirmed loss or theft, including a loss or theft by one of the Member or merchant's service providers, of any material or records that contain personal identity and financial information. Failure to report a theft of account information may result in severe fines from $100,000.00-$500,000.00.