Visa and MasterCard have made important changes to merchant acceptance as part of a proposed settlement for merchants located in the U.S. and U.S. territories. For more information click here.

In June of 2001, Visa USA instituted the Cardholder Information Security Program (CISP) program. Visa started this effort specifically for merchants and service providers who process, store or transmit cardholder data and mandated it to take effect May 1, 2001. The CISP program was implemented to help ensure consumers that the businesses they are dealing with maintain the security of their bankcard account and other personal identifiable information. The CISP program also helps stem the tide of large-scale card number hacker attacks that have occurred within the payment card industry.

As a result, Visa requires all merchants and service providers be compliant with the CISP program. The program applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce. To achieve compliance with CISP, merchants and service providers must adhere to the Payment Card Industry (PCI) Data Security Standard, which offers a single approach to safeguarding sensitive data for all card brands.

CISP Compliance Validation

Separate and distinct from the mandate to comply with CISP requirements is the validation of compliance. Validation of compliance is a fundamental and critical function that identifies and corrects vulnerabilities, and protects customers by ensuring that appropriate levels of cardholder information security are maintained. Visa has prioritized and defined levels of CISP compliance validation based on the volume of transactions, the potential risk, and exposure introduced into the Visa system by merchants and service providers.

Typically, to secure compliance validation, you must complete an annual onsite review and Report on Compliance OR an Annual Questionnaire dependant on your merchant level and in accordance to the PCI Audit Procedures.

Visa believes that the most effective way to validate compliance is for you to engage a Visa-approved, independent security assessor to complete the onsite review and Report on Compliance and for you to provide the results to Elavon. A list of VISA-approved security assessors can be found at the CISP web site. In addition to an independent security assessment, you must complete a quarterly System Perimeter Scan to be performed by one of the Visa-approved vendors.

To complete validation, Reports on Compliance and System Perimeter Scans must contain acceptable ratings in accordance with the CISP guidelines.

Copies of all Report on Compliance/Questionnaire and the Quarterly System Perimeter Scans must be sent to:

Attn: Association Compliance
One Concourse Parkway, Suite 300
Atlanta, GA 30080

Failure to comply with this these mandates can result in your organization being assessed any and all fees (starting at $50,000 for the first occurrence) and penalties as prescribed by Visa for non-compliance with the CISP program.

Detailed instructions for the Report on Compliance, System Perimeter Security Scan, Visa Certified Vendors, and the Visa CISP guidelines are available at the Visa CISP website.

Verified by Visa

Verified by Visa enhances the security of credit card payments in the Internet/e-commerce environment. The Verified by Visa service increases both cardholder and merchant confidence in e-commerce transactions while reducing fraudulent transactions and disputes related to the use of Visa payment cards. Additionally, cardholders can use this service at no additional cost. For more information on the service visit: or email