n April 2000, Visa announced the launch of its Cardholder Information Security Program (CISP.) Visa created the program specifically for merchants and service providers who process, store or transmit cardholder data and mandated it to take effect May 1, 2001.

This program establishes requirements for safeguarding personally identifiable information with a list of 12 detailed security requirements to protect Visa cardholders. In 2003, major system compromises resulted in the acceleration of the verification program to include all entities handling, transmitting or storing cardholder data.

To meet the 12 detailed security requirements (the 'Digital Dozen') applying to service providers, Internet, "brick and mortar" and other non-Internet businesses must:

1. Install and maintain a working firewall to protect data
2. Keep security patches up to date
3. Protect stored data
4. Encrypt data sent across public networks
5. Use and regularly update anti-virus software
6. Restrict access to "need to know" basis
7. Assign unique ID to each person with computer access
8. Don't use vendor-supplied defaults for passwords and security parameters
9. Track all access to data by unique ID
10. Regularly test security systems and processes
11. Implement and maintain an information security policy
12. Restrict physical access to data

To learn more about CISP, I contacted Nicholas J. Percoco, an Associate Partner at Ambiron, a leading independent compliance management and information security advisory firm based in Chicago with offices throughout the United States.

Ambiron offers a Multi-Card Compliance Program that includes both Visa CISP and MasterCard Site Data Protection (SDP) programs. The people at Ambiron know a lot more about CISP than I do, so I asked Percoco at Ambiron the following questions:

To whom does CISP apply?

CISP is directed to all entities that store, process, transmit or handle cardholder information. The program requires, at minimum, annual validation of all merchants, processors and service providers on both the issuing and acquiring sides of the business.

Is CISP strictly Internet-focused?

CISP is not just focused on the e-commerce payment acceptance channel. First and foremost, it is important to understand that any merchant or service provider who processes and/or stores cardholder data is vulnerable to compromise.

Why is it important to become Visa CISP certified?

Visa has developed a comprehensive list of best practices that an organization should meet or exceed when processing and storing cardholder information. These areas range from implementing required technical and security features-such as a firewall or intrusion detection systems-to developing policies and procedures such as a corporate security policy or a disaster recovery plan. Complying with each of these areas will greatly enhance your organization's security posture and help defend against intruders attempting to access your customers' sensitive information.

Adopting Visa's requirements and becoming certified demonstrates to your customers that you take the security of their data very seriously. CISP certification also serves as an excellent security foundation to refer to when you are faced with a business or technical decision regarding the processing or storing of cardholder information.

How does my company become CISP certified?

The process typically begins with the Visa CISP self assessment, through which your organization quickly gains a high level understanding of where it stands in relation to CISP standards. You may find that you need to do some preparation before a formal audit is performed against your environment. Many of our clients engage us to assist in the preparation, but you may choose to do this on your own.

Once the self-assessment and any preparations are complete, you must engage a third-party assessor to begin a security audit (a list of qualified CISP assessors, including Ambiron, is available from Visa). The audit is a combination of internal and external vulnerability scans, interviews, documentation review and on-site examination of several systems within your environment, all following a process and reporting standard that Visa has put in place.

The data gathered during the audit are used to create a Report on Compliance (ROC). If your organization meets all of the Visa CISP requirements, you will receive a compliance letter within a few weeks of completing and submitting the ROC to Visa. If the audit reveals that you are not fully compliant with one or more of Visa CISP requirements, you should work with your assessor to set realistic target dates for completing the tasks necessary to meet the missing requirements.

The report can still be submitted to Visa, but Visa will ask the assessor to perform a follow-up audit when the target dates have been reached. Your organization will receive a Visa CISP compliance letter when the follow-up ROC has been successfully completed and submitted.

What are the penalties if the Report On Compliance demonstrates that an entity is not in compliance with all requirements?

Results of the audit are not punitive. If the year-one ROC demonstrates non-compliance issues, Visa requires that you have a plan and firm timeframe to remedy the outstanding issues. The best way to avoid penalties is to provide Visa with all required deliverables according to the timeframes provided.

What will happen if I don't do this?

Since CISP compliance is mandated in the Visa U.S.A. Operating Regulations, the Visa member whose merchant or service provider does not comply will be fined a minimum of $50,000.

There are other fines that could be levied for willful non-compliance or egregious behavior. Ultimately, merchants and their service providers must meet the CISP requirements to continue to accept Visa.

How long does it take to become CISP certified?

Certification can take anywhere from a few weeks to several months, depending on the complexity of your environment and how close you are to the Visa CISP standards at the beginning of the process.

The audit typically takes a few weeks at most; it is usually the preparation or remediation that can take more time. For example, at Ambiron, we work closely with our clients to help them prepare for the audit and identify cost effective solutions to meet the CISP requirements.

All information regarding CISP compliance for all entities has been posted on the Visa Web site at www.visa.com/cisp. The Web site includes a CISP Overview, the CISP Requirements and detailed compliance verification instructions for the largest merchants (specific list), general population merchants, service providers and those who have been compromised.

It also offers technical issues and answers, downloadable forms, lists of qualified assessors and CISP-compliant service providers.

Contact Ambiron on the Web at www.ambiron.net or by phone at 877-AMBIRON (262-4766).

David H. Press is Principal and President of Integrity Bankcard Consultants, Inc. Phone him at 630-637-4010, e-mail dhp@integritybankcard.net or visit www.integritybankcard.net.