Keeping Electronic Payments Secure

Trust is central to the success of the electronic payments industry. That is why Visa has long been one of the leaders in creating solutions to data security challenges.

Creating the Standard for Data Security

Visa was the early leader in addressing emerging information security concerns. In 2000, Visa established the Cardholder Information Security Program (CISP), the first set of standards for protecting sensitive cardholder data wherever it is located. The CISP program formed the basis for what would later become the industry-wide standard that applies to any entity storing, processing or transmitting sensitive cardholder data.

In 2004, Visa and the other major payments brands agreed to align their respective data security requirements under a single, worldwide standard known as the Payment Card Industry Data Security Standard (PCI DSS). The result has been wider acceptance of standard security requirements for the industry and greater protection of cardholder data.

Aggressive Compliance Enforcement

While the industry-wide standards are managed by the PCI Security Standards Council, it is up to the individual payment brands to enforce the standards. This is a responsibility Visa has taken seriously.

In 2006, Visa announced the Visa PCI Compliance Acceleration Program (PCI CAP), a program offering up to $20 million in financial incentives to further merchant compliance with the industry-wide PCI requirements. The program was the first of its kind to provide positive reinforcement to the industry's traditional, fine-only approach. The program also created tough new sanctions, including fines for the prohibited storage of certain sensitive data and for not achieving full PCI compliance. Through this innovative program, Visa was the first in the industry to link interchange benefits with security, applying the best available rates only to transactions at compliant merchants.

When the program was announced, compliance among the largest merchants (Level 1) was at 36 percent, and compliance among medium-sized Level 2 merchants stood at just 15 percent. Together, Level 1 and Level 2 merchants account for more than half of Visa's volume. To encourage acquirers and merchants to comply, Visa imposed a September 30, 2007, deadline for Level 1 merchant compliance. After the deadline, Visa began levying fines of $25,000 a month to U.S. acquirers for each of their Level 1 merchants that had not validated PCI DSS compliance. Since the program began, compliance has escalated rapidly. To date, more than 99 percent of Level 1 and 2 merchants have confirmed that they do not store sensitive data, thus minimizing one of the most significant risks to payment system data. For more information on compliance rates, please click here.

Visa has also been actively encouraging smaller merchants to become compliant with the PCI DSS. In May 2007, Visa announced requirements for U.S. acquirers to identify security risks among their small merchant customers and develop an educational program to raise the merchants' awareness and understanding of the importance of data security to their businesses and PCI DSS. Since Visa announced the requirement, 100 percent of active U.S. acquirers have submitted plans to Visa and are in the process of implementing their security programs.

Developing Tools to Assist Compliance Efforts – Focus on Payment Software

In addition to providing incentives and fines to encourage compliance, Visa has sought to create tools that better secure the payments environment and on Payment Software reinforce compliance efforts. In 2005, Visa established the Payment Application Best Practices (PABP) program to help software vendors create secure payment applications. In forensic investigations of data breaches, some payment applications were found to store prohibited data, thus creating vulnerabilities for their users. To better protect cardholder information, Visa has announced plans to require merchants to use only payment system software that does not store sensitive data.

In late 2007, the PCI Security Standards Council recognized Visa’s leadership by adopting Visa's PABP as the new security standard for third-party application software in the payment industry, calling it the Payment Application Data Security Standard (PA-DSS).

Providing Outreach and Educational Resources

Visa’s data security leadership has also extended to educational outreach efforts among merchants, acquirers, processors and payment application vendors. Visa’s online education center

“Visa has partnered with BBB many times over the past decade and set a great example, combining vision and practical know–how, as an industry leader by helping small businesses learn how to address data and payment security issues.”

Steven J. Cole
President & CEO
Council of Better Business Bureaus
at www.visa.com/cisp offers a series of webinars, security alerts and training seminars that help merchants better understand the PCI DSS and the validation requirements.

Joining with prominent business organizations, Visa has sought to multiply those outreach efforts. Visa joined with the U.S. Chamber of Commerce to conduct a 21–city Merchant Data Security Tour in 2005–2006 reaching more than 60,000 small businesses. In 2007, Visa teamed with the National Federation of Independent Business (NFIB) to conduct a data security seminar for small businesses and to produce the NFIB Guide to Data Security, a booklet created specifically for its 35,000 small business members. Visa also contributed to the development of the Council of Better Business Bureaus guide Security & Privacy – MADE SIMPLER and has worked with financial institutions to distribute it to both small business cardholders as well as card–accepting small businesses nationwide.

There is no higher priority for Visa than to maintain the security of its payments system. Visa’s ongoing commitment has helped the company keep fraud rates low and is why Visa is one of the leaders in payments industry security.

VISA DATA SECURITY COMPLIANCE MILESTONES

2000
Visa establishes the Cardholder Information Security Program (CISP), the first set of standards for protecting sensitive cardholder data wherever it resides.

2001
CISP becomes mandatory for any entity storing, processing or transmitting sensitive Visa cardholder data. The CISP requirements serve as the model for best practices published by the G–8 at their 2001 Conference on High-Tech Crime in Tokyo.

2004
Visa’s CISP data security requirements form the basis for the Payment Card Industry Data Security Standard (PCI DSS), a common set of industry tools and measurements to help ensure the safe handling of sensitive cardholder information.

2005
Visa establishes the Payment Application Best Practices (PABP) to help software vendors create secure payment applications, thereby helping their customers comply with PCI DSS and preventing them from being exposed to a data security breach.

For the year, Visa levies $3.5 million in data security fines.

2006
Visa offers $20 million in financial incentives and creates new sanctions in an effort to further merchant compliance with the PCI DSS through the Visa PCI Compliance Acceleration Program (PCI CAP). The effort is the first of its kind to provide positive reinforcement to the industry’s traditional, fine–only approach.

Visa becomes the first brand to publicly announce PCI DSS compliance rates:
  • Level 1 merchants: 36%
  • Level 2 merchants: 15%
For the year, Visa levies $4.6 million in data security fines.

2007
July – Visa announces a program designed to help the nation's small businesses improve their security. Visa’s program calls for acquiring financial institutions to identify and address risks among their small merchant customers, including identifying whether merchants are storing sensitive account data and are complying with the PCI DSS.

July – Visa announces that 96 percent of the largest businesses (Level 1 and Level 2 merchants) that accept Visa cards for payment have confirmed they are not storing sensitive account data. Visa becomes the first card brand to levy fines for storing sensitive data. Visa updates PCI DSS compliance rates:
  • Level 1 merchants: 40%
  • Level 2 merchants: 33%
October – Visa begins levying fines of $25,000 a month to U.S. acquirers for each of their Level 1 merchants that had not validated PCI DSS compliance by the September 30 deadline. Visa becomes the first card brand to levy fines solely based on compliance status.
October – Visa updates PCI DSS compliance rates:
  • Level 1 merchants: 65%
  • Level 2 merchants: 43%
November – The PCI Security Standards Council adopts the Payment Application Best Practices pioneered by Visa as the new security standard for third–party application software in the payment industry. The new industry standard is called the Payment Application Data Security Standard (PA–DSS).

November – Visa announces a series of requirements for U.S. merchants and their agents to use payment system software that does not store sensitive card information. The requirements are designed to protect cardholder information and complement other security efforts, including compliance with PCI DSS.

December - Visa updates PCI DSS compliance rates:
  • Level 1 merchants: 77%
  • Level 2 merchants: 62%
In 2007, Visa assessed $11.5 million in fines to acquirers. Note that this total is inclusive of fines for prohibited data storage, PCI CAP non-compliance as well as those fines assessments associated with data compromises. Compromise fines to acquirers are associated with merchants from all level categories.