1. Install and maintain a working network firewall to protect credit card data accessible via the Internet.
2. Keep security patches up to date.
3. Encrypt stored data.
4. Encrypt data sent across networks using Secure Socket Layer (SSL) or other techniques.
5. Use and regularly update anti-virus software.
6. Restrict access to data by business "need to know."
7. Assign a unique ID to each person with computer access to data.
8. Do not use vendor-supplied defaults for system passwords and other security parameters.
9. Track access to data by unique ID.
10. Test security systems and processes daily.
11. Maintain a policy that addresses information security for employees and contractors.
12. Restrict physical access to cardholder information. Give an individual or team specific responsibility for managing information security.

To aid in their implementation, Visa is providing merchants with training sessions, interactive reviews, compliance and monitoring consultation, and information on third party firms specializing in testing and compliance.

"Many merchants have already taken steps to lock up payment card data online, and Visa's requirements are like a 'virtual deadbolt'," said John Shaughnessy, senior vice president, Risk Management, Visa U.S.A. "Visa is working with merchants to heighten data security and ultimately increase consumer confidence in e-commerce. Together, we can give consumers the same security online that they have come to expect in the physical world."

CISP was created specifically for mail-order/telephone-order (MOTO) and Internet merchants along with any third-party processing agents, but also applies to any type of merchant who accepts transactions in a 'card-not-present' purchasing environment.

Why Comply?
According to Visa, if merchants apply the CISP guidelines properly and consistently, the security and procedural controls offer the following benefits:

• Competitive Edge - Consumer studies show that trust is a key factor in doing business with card-not-present merchants. Customers seek out merchants who they feel are "safe."
• Increase Revenues and a stronger bottom line - When it comes to improving profitability, a company's bottom line depends on better data security. With appropriate data security in place, you can protect your customers, limit risk exposure, and minimize the losses and operational expense that stem from compromised cardholder information.
• Maintaining a Positive Image - With the incredible growth of the Internet today, information security is on everyone's mind. Data loss or compromise not only hurts the cardholder, it can seriously damage a merchant's reputation.

Serving as both a carrot and a stick, the CISP helps Visa to accelerate their demands on merchants to do a much better job of credit card security than what's been seen in the past. The new Visa USA Operating Regulations include a monitoring and compliance program that will take effect this year. Failing to live up to these regulations places your ability to accept Visa cards on your Web in jeopardy. Besides that, implementing these countermeasures and compensating controls is simply the right thing to do!

Peeking inside Version 5.5 of the CISP, you'll find sections on:

• What needs to be protected
• Roles and responsibilities
• Program timelines
• Compliance and monitoring
• Detailed requirements for:
  • Logical data security
  • Administrative data security
  • Physical Data Security
• Best practices
• Glossary of terms

Visa has also provided online collateral to help merchants get started and to answer their questions and concerns. The Visa Merchant Resource Center Web site offers a wide variety of information and training on how to best conduct business electronically, and covers all types of hints and tips for all types of retail merchants. You can also download a copy of the CISP from the site.