- American Express & Discover Card
- CISP Certification
- Discount Rates
- Electronic Checks
- Fraud Screening
- High Risk Merchant Accounts
- How Transactions are Processed
- Keyed Transactions
- Merchant Account Fees
- Offshore Merchant Account
- Payment Gateways
- Reasons for a Merchant Account
- Select a Merchant Account Provider
- Terminated Merchant File
- Third Party Processing
- Types of Merchant Accounts
- Understanding AVS
- Understanding Chargebacks
- What is a Merchant Account
CISP Certification
Cardholder Information Security Program or CISP Certification is designed to ensure that cardholders’ information is secure no matter where it is received, stored or transmitted. The mandate for Visa has been stated since 2001. In 2004, the CISP requirements were incorporated in an industry wide standard known as the Payment Card Industry (PCI) Data Security Standard (DSS). Both Visa and Mastercard cooperated to provide standards. CISP certification is mandated for all merchants and providers who store, process or transmit Visa card data whether it is retail, telephone/mail order or ecommerce businesses.
The major components of CISP certification include:
SECURE NETWORK
The construction of a network must include adequate firewall protection and eliminating the use of vendor supplied default passwords and security checks.
CARDHOLDER DATA PROTECTION
Data coming from the cardholders must be adequately protected in storage and must be encrypted in such a way as to protect it during transmission across public networks.
VULNERABILITY MANAGEMENT
The use of updated antivirus software and maintaining secure systems and applications is mandated.
ACCESS CONTROL
CISP certification ensures release of business data only on a need-to-know basis. Each person who has access to a business computer must be assigned a unique identifier. Physical access to cardholder information should be restricted to those who need the information only.
TEST AND MONITOR NETWORKS
All access to cardholder data must be monitored and tracked to prevent unauthorized or unknown users. There will be regular tests of security and systems to make sure they are working effectively.
INFORMATION SECURITY POLICY
A stated policy for maintaining the security of information must be defined and published.
COMPLIANCE
All acquiring merchant account providers must ensure that merchants who process more than one million Visa transactions per year are in compliance with the CISP Certification regulations. Compliance documentation and signoff is specified, including audits of security systems and fulfillment of the above standards.
With the CISP Certification compliance mandates, there is a system in place for identifying and publicizing or warning about areas where there is a potential security alert.
For example, a recent description of a technique for gathering CVV2 information appeared on a Visa Data Security Alert. Since the CVV2 is often the missing information for criminals attempting to use fraudulent means and credit card numbers for credit card scams, it has been the target of repeated attempts to gain the vital numbers for use when there are no card present transactions. Having the CVV2 information allows the criminals to make it appear that the card is present.
While this information is helpful to cardholders, it reaches only as far as those who read the warning. These warnings must be combined with other preventative measure to prevent improper access to cardholders’ data.
CISP certification attempts to detail and enforce security practices across the entire spectrum of the credit card industry, both by the merchants and by the issuing institutions in order to protect sensitive cardholder data. Tightening up security and continuing to publicize information about schemes and scams may help reduce the heavy losses from fraudulent credit card activity.