Visa Account Information Security Tool Kit
Welcome to the Visa Account
Information Security Program
2
Contents
1.
Securing cardholder data is everyone’s concern 4
2.
Visa Account Information Security (AIS) program
7
2.2
AIS and the Payment Card Industry Data Security Standards (PCI DSS)
7
2.3
The PCI DSS requirements
8
2.4 What if organizations choose not to be involved in the AIS program?
8
3.
The benefits of AIS to businesses and customers 10
3.1 The feedback from merchants and payment processors
11
4.
How Visa’s AIS program works 12
4.1 How do you know if you meet the PCI DSS standards
12
4.2 How often do the validation tasks need to be completed
13
4.3. Required documentation
13
5.0 How to get started with AIS
14
5.1
Self-Assessment Questionnaire
14
5.2
Vulnerability scan
14
5.3
Onsite review
15
5.4
What is the cost?
15
6.0
Need more information or help?
15
3
1.0
Securing cardholder data is everyone’s concern
Data security is not a new issue and facilitating the protection of cardholder
data has long been a priority for Visa. Over the last several years, Visa has
developed a multi-layered product and services strategy to help safeguard
data and prevent fraud.
Today these data security efforts include the use of sophisticated neural
networks that detects fraud patterns by comparing a transaction to a
customer’s typical spending pattern, as well as chip and PIN technology
to authenticate transactions, and Verified by Visa for the authorization of
Internet purchases, and many other activities.
Through Visa’s data security efforts, fraud as a percentage of Visa’s volume
has decreased in the last decade to an all-time low and now accounts for less
than 6 basis points (6 cents in every USD100) of Visa’s global sales volume.
However, as global research sponsored by Visa shows, the protection of
personal and private information is a major concern of consumers. While
concern over data security is a broader issue than electronic payments alone,
Visa knows that maintaining cardholder confidence is crucial to the success of
the Visa system.
Visa is therefore committed to working with all stakeholders in the payment
chain – including client banks, technology partners, merchants and consumers
– to safeguard sensitive cardholder data.
4
5
6
2.0
Visa Account Information Security
When customers offer their bankcard at the point of sale, over the Internet,
on the phone, or through the mail, they want assurance that their account
information is safe. Recognizing this, Visa has instituted Account Information
Security.
Visa Account Information Security is a globally mandated program that
focuses on helping clients, merchants and payment service providers improve
their data security measures in order to safeguard Visa cardholder account
and transaction information–wherever it resides.
Account Information Security, or AIS, is a Risk
Management program sponsored by Visa and run
by Visa’s clients. The AIS program is a requirement
for all entities participating in the Visa payment
system including those entities that process, store or
transmit Visa cardholder account and/or transaction
information, including merchants and service
providers.
The Visa Account Information Security program is
designed to provide guidelines for clients, merchants
and service providers that help them to proactively
protect themselves and the overall payment system
against the threat of compromises. The program
accomplishes this by identifying vulnerabilities
in security processes, procedures and website
configurations. The Visa Account Information
Security program aims to eliminate unnecessary data
storage, and ensure that entities who need to store
data are doing so in accordance with the Payment
Card Industry Data Security Standard (PCI Data
Security Standard).
2.1
AIS and the Payment Card Industry Data Security
Standards
Visa has collaborated with other payment card
companies to create a single set of industry
requirements, called the Payment Card Industry
(PCI) Data Security Standard, for consumer
data protection. The PCI Data Security Standard
forms the basis of the Visa’s Account Information
Security program, (also known as Cardholder
Information Security Program in the U.S.), the
MasterCard’s Site Data Protection (SDP) program
and other payment brands’ information security
programs to create streamlined requirements,
compliance criteria and validation processes.
This PCI Data Security Standard also addresses the
concerns of merchants’ and acquirers’ (financial
institutions that enable merchants to accept Visa
cards for payment) about having to meet more
than one set of standards to accomplish a single
goal.
Since the aim of the AIS Program is compliance
with the PCI Data Security Standard, merchants
and service providers must demonstrate this
compliance by using the following validation tools:
yy Onsite Reviews
yy Security Self-assessments
yy Security Scans
7
2.2
The Payment Card Industry Data Security Standards
(PCI DSS) requirements
At a basic level, PCI DSS consists of 12 key requirements
for protecting Visa cardholder account and transaction
information:
PCI Data Security Standard
Build and Maintain a Secure
Network
1.
Install and maintain a firewall configuration to protect cardholderdata
2.
Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect Cardholder Data
3.
Protect stored cardholder data
4. Encrypt transmission of cardholder data across public open networks
Maintain a Vulnerability
Management Program
5.
Implement Strong Access
Control Measures
7.
Use and regularly update anti-virus software or program
6. Develop and maintain secure systems and applications
Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test
Networks
10. Track and monitor all access to network resources and cardholder
data
11. Regularly test security systems and processes
Maintain an Information
Security Policy
12. Maintain a policy that addresses information security for all
personnel
The PCI DSS standards offered by the AIS program
are designed to protect the confidentiality,
availability and integrity of customer data. The
standards represent the key requirements for
handling or managing of Visa account information.
2.3
What if organizations choose not to be involved in
the AIS program?
Visa may levy financial penalties on acquirers
and may require that specific actions be taken to
protect account and transaction Information.
Should a compromise occur and an organization
has not taken the appropriate steps to ensure
that account information was protected; the
acquiring bank may be financially penalized and
the organization’s licence to accept card payments
may be withdrawn.
8
9
3.0
The benefits of PCI DSS to businesses and customers
Our ultimate goal is to protect the Visa brand and increase cardholder
confidence while shopping in the physical and virtual marketplace.
Continuing media reports of hacking incidences, stolen credit card numbers,
and identity theft have triggered concern about information security, not only
amongst consumers, merchants, Visa and its clients, but also government and
regulators.
The AIS program is designed to protect sensitive account and transaction
information in the Visa acceptance environment. It protects the interests of all
payment participants, including clients, merchants and cardholders - in both
the physical and virtual worlds.
By implementing and adhering to the Payment
Card Industry Data Security Standards (PCI DSS)
requirements, organizations can take an important step
towards better protecting their customers’ information
from being stolen and used to commit fraud.
Through following the industry-wide requirements of
PCI DSS, organizations can recognize the following
business benefits:
yy Protect their customers’ personal data
yy Boost customer confidence through a higher level
of data security
yy Lower their exposure to financial losses and
remediation costs
yy Maintain customer trust and safeguard the
reputation of their brand
yy Provide a complete “health check” for any
business that stores or transmits customer
information.
As well as protecting your customers, appropriate
data security limits your risk exposure and minimizes
the losses and operational expense that stem from
compromised cardholder account information. The
financial and resource outlay to meet the PCI DSS
requirements is minimal compared with the costs
associated with the reactive hiring of security and public
relations specialists, or the loss of significant revenue
and goodwill that can result from a compromise.
Thus, the AIS program can help you by:
yy Promoting your brand’s integrity and boosting
consumer confidence in your business
yy Increasing sales and business due to increased
consumer confidence
yy Protecting you against potential loss of revenue
and unwanted investigative and legal costs
10
yy Reducing the risk of unwanted media attention
as a result of a compromise
yy Providing you with greater awareness of
security measures and preventative options
available
yy Reducing cardholder disputes and associated
costs resulting from fraudulent transactions
generated by compromised data (upon global
take-up of the AIS program).
3.1
The feedback from merchants and payment
processors?
Since the inception of the AIS Program, Visa
has received positive feedback from merchants
and service providers who have assessed their
compliance with AIS program requirements. Their
feedback has been that the assessment process
has helped them identify and address important
areas of vulnerability.
Visa listened to the merchant community to
develop a “practical yet comprehensive” program
that would protect sensitive account and
transaction information in the Visa acceptance
environment.
The AIS program establishes payment card
industry data security standards for merchants and
agents to protect the confidentiality, availability
and integrity of sensitive cardholder data. The AIS
program helps merchants and agents evaluate and
improve their organizational, physical, and logical
controls of data security and is a requirement for
all merchants participating in the Visa acceptance
environment. Cardholders ultimately win when
their accounts are protected.
11
4.0
How Visa’s AIS program works
Compliance with the PCI DSS is a requirement for all entities that participate
in the Visa payment system. Acquiring banks are responsible for ensuring that
merchants and third-party service providers meet the PCI DSS standards and
will be able to guide them through the validation process.
4.1
How do you know if you meet the PCI DSS
standards
To check whether an organization meets the PCI DSS
standards, it must complete the following validation
tasks (depending on the average yearly Visa
transaction volume it process):
yy Self-assessment Questionnaire
yy Quarterly Network Vulnerability Scan
yy Onsite Review
For Merchants
More than 6 million
Visa transactions
per year*
All others
Between 1 million and 6 million
Visa transactions per year*
OR more than 20,000 Visa
e-commerce transactions per year
Self-assessment
Questionnaire
Optional
Mandated
Recommended
Quarterly Network
Vulnerability Scan
Mandated
Mandated
Recommended
Onsite
Review
Mandated
Optional
Optional
For Service Providers
More than 300,000 Visa transactions
per year
Less than 300,000 Visa transactions
per year*
Self-assessment
Questionnaire
Optional
Mandated
Quarterly Network
Vulnerability Scan
Mandated
Mandated
Onsite
Review
Mandated
Recommended
* includes all transactions, regardless of the type /channel
12
4.2
How often do the validation tasks need to be
completed
All entities that process, store or transmit Visa
transactions should ensure they complete the
validation tasks on an annual basis. It is expected
that organizations already regularly review and
test security procedures. Validation to the PCI DSS
standards should be part of this process.
4.3
Required documentation
Visa notifies its members bi-annually to certify
the PCI DSS compliance of their merchants and
service providers. Clients are required to submit
the following documentation:
1.
Certificate of Compliance (CoC) - indicating
full or partial compliance of the Service
Provider / Merchant
2.
Summary of Findings - signed off by the
Qualified Security Assessor (QSA) if onsite
audit was performed.
For entities that are not fully compliant at the time
of validation, the following documents are required
to be submitted in addition to the Certificate of
Compliance:
1.
Remediation plan – signed off by the QSA
2.
Letter confirming the target date of full
compliance signed by client bank
Once remediation tasks have been completed, a
final Certificate of Compliance must be submitted
indicating full compliance.
Compliant service providers are listed on the Visa
homepage website for a 12 month period.
13
5.0
How to get started with PCI DSS validation
Check to see if you meet the PCI DSS standards.
Visa recommends the use of:
1. PCI Self-Assessment Questionnaire
2. Quarterly Network Vulnerability Scan conducted by an Approved Vulnerability
Scanning (AVS) vendor
3. Onsite Review conducted by a Qualified Security Assessor (QSA)
as the most effective way for you to determine whether you meet the PCI standards.
5.1
Self-Assessment Questionnaire
5.2
Vulnerability Scan
The Self-Assessment Questionnaire (SAQ) is a free,
confidential tool that can be used to gauge your
compliance with the PCI DSS standards. The SelfAssessment Questionnaire is made up of ‘yes’/‘no’
questions. The SAQ can be downloaded from
pcisecuritystandards.org.
An external vulnerability scan enables you to
assess the level of security from potential external
threats. Scanning tools are used to generate
traffic that tests network equipment, hosts, and
applications for known vulnerabilities. The scan is
intended to identify these vulnerabilities so they
can be corrected.
To prepare for and complete the Self-Assessment
Questionnaire, follow these steps:
1.
Familiarize yourself with the Payment Card
Industry Data Security Standards
2.
The questions should be distributed to the
appropriate experts within your company
to obtain accurate answers. These experts
frequently include individuals responsible for
policy and compliance, physical security and
information security.
3.
Complete the Self-Assessment Questionnaire
External / remote vulnerability scanning - if
your network is connected to the Internet, you
are susceptible to intrusions from external
‘hackers’. As such, all of your Internet based
network accessible devices should be scanned
for vulnerability from outside your perimeter
protection, such as a firewall.
The vulnerability scan will be a non-intrusive test.
All scans must be conducted by an Approved
Vulnerability Scanning (AVS) vendor. You can find
the list of AVS on pcisecuritystandards.org.
Quarterly scans are required for all service
providers, merchants whose annual transaction
volume is over 1 million and all merchants who
process over 20,000 e-commerce transactions
annually. The follow up vulnerability scans are to
ensure the remediation was successful. If network
or application modifications are made to the
production environment, additional scans may be
required to ensure that new vulnerabilities are not
introduced into the infrastructure.
Visa strongly recommends that you perform
internal and external network vulnerability scans
regularly, as new vulnerabilities are constantly
discovered.
14
6.0
Need more information or help?
By working with our acquiring banks, we are
committed to making it as easy, convenient and
secure as possible for businesses to accept payment
cards. If you have any questions, your first point of
contact should be Visa Payment System Risk .
For further information relating to PCI DSS you can
also visit www.visa-asia.com/secured
5.3
Onsite Review
The onsite review is an independent risk assessment
required of service providers that have more than
300,000 Visa transactions per year and merchants
that process, store or transmit over 6 million Visa
transactions per year. Onsite reviews must be
performed by a Qualified Security Assessor (QSA).
During the onsite review, the QSA will follow a
set testing procedure, built around the 12 PCI DSS
requirements.
You can find a detail list of approved QSAs on
pcisecuritystandards.org.
5.4
What is the cost?
The PCI online Self-Assessment Questionnaire
and vulnerability scanning are provided by Visa
Asia Pacific free of charge, the actual process of
assessment, verification and remediation takes place
at your organization’s expense. Length of time and
cost of compliance depend on the extent to which
you are already compliant.
The onsite review must be performed by a Qualified
Security Assessor (QSA). It is recommended that
merchants also use a QSA to perform the PCI DSS
onsite review.
Alternatively acquirers may elect to accept the
Report of Compliance from merchants provided that
it is signed by an officer of the merchant’s company.
It is up to you to negotiate the cost of the service
with your preferred Qualified Security Assessor
(QSA).
15
Payment System Risk
Asia Pacific, Central Europe, Middle East & Africa
Visa Worldwide Pte. Limited
71 Robinson Road, #09-01
Singapore 068895
www.visa-asia.com/secured
Email: vpssais@visa.com