Merchant Account Services

Visa's CISP Data Security Standard Explained

Store credit card information securely and intelligently


Author: Jim Conners

Rating: 10.0

Pages: 1

Anyone who has been reading the news will have noticed the increasing coverage privacy issues have garnered over the last few years. Amongst some of the more frequent incidents are large scale thefts of consumer data including their credit card information. A hacker penetrates an online merchantís database and downloads tens of thousands of credit card numbers and other private information.

To help prevent thefts of this sort, Visa has created a standard by which any merchant wishing to store merchant credit card data must abide. It is called the Cardholder Information Security Program (CISP). It is part of Visaís larger security initiative called the Payment Card Industry (PCI) Data Security Standard.

The technical specifics are not very difficult to understand and really are straightforward. However, most merchants are not aware of these requirements and put themselves, and their customers' private information, at risk. Also, much of the standard involves areas that the merchants are not involved with (i.e. data center security). To simply the standard for most merchants this article will remove the elements that are not in direct control of the merchant and focus on the factors they can control.

Merchants should read the entire CISP standard and be aware of every aspect of it. If a merchant experiences a data breach they are ultimately the ones held responsible for it. The PCI standard lists 12 requirements a merchant must follow to be CISP compliant. This article will only cover requirements three and four.

Requirement 3: Protect Stored Data

"Encryption is the ultimate protection mechanism because even if someone breaks through all other protection mechanisms and gains access to encrypted data, they will not be able to read the data without further breaking the encryption. This is an illustration of the defense in depth principle."

This section of the CISP standard is probably the most relevant to merchants who wish to store credit card information for any length of time. Visa has set forth a very specific list of requirements for what can and cannot be stored and under what circumstances you can store it. I outline the key points below.

What you may not store under any circumstances:

  • The CVV2 numbers associated with the credit card

    This is the three digit number on the back of the credit card. On a Visa and MasterCard it can be found on the the signature panel. Usually at the very top-right most corner. CVV2 is a credit card security measure aimed at reducing fraud for card not present transactions. It is a three or four digit number that is only present on the credit card. Theoretically, this is used to verify that the credit card being used in a purchase in the in the possesion of the purchaser at the time of the transaction making the sale more secure.

  • The PIN Verification Value (PVV)

    This is the PIN number associated with Check Cards. If a security breach occured and it was determined that this information was stored by an online merchant it would be a major problem. An online merchant has no reason to ask for this information as it is exclusively used for PIN-based transactions. Since the PIN number can only be entered manually into a PIN Pad there is obviously no way for a merchant to accept this form of payment.

Mask Account Numbers When Displayed

When displaying stored information on a user's screen you are only permitted to show the first six digits and last four digits of the customer's credit card number. The first six digits of a Visa (and MasterCard) represent the bank that issued the card. These numbers are public anyway. The last four digits are relatively unique when used for verification purposes. An "X" is typically used to replace blocked digits of a credit card number.

Render Sensitive Cardholder Data Unreadable Anywhere It Is Stored

Although Visa outlines many important techniques and standards for securing customer data, this one is probably the most important. Furthermore, because this is directly controlled by the online store owner, its importance cannot be understated. Customer data that is stored must be encrypted. If customer data is comprimised it will be uselss to the thief as they will be unable to decypher the content.

Visa recommends the following encryption techniques:

  • One-way hashes (hashed indexes), such as SHA-1
  • Truncation
  • Index tokens and PADs, with the PADs being securely stored

The minimum account information that needs to be rendered unreadable is the credit card number.

Requirement 4: Encrypt Transmission of Cardholder and Sensitive Information Across Public Networks

"Sensitive information must be encrypted during transmission over the Internet, because it is easy and common for a hacker to intercept and/or divert data while in transit."

Although few, if any, merchant account providers will establish a merchant account for an online store that does not have a secure order page provided by a SSL Certificate. Visa'a PCI standard dictates that the encryption provided by the SSL Certificate be a minimum of 128-bit strength. SSL Certificates can be purchased from vendors such as GoDaddy, Thawte, and Verisign.

Visa's PCI standard does allow for credit card data to be transported via email. However, the contents of the email must be encrypted. A tool that can help with this is PGP Encryption.


Due to the enormous risks associated with storing credit card information, and all private data as well, it is imperative that an online merchant follow set guidelines for storing this information. Visa's PCI standard is the defacto standard for storing credit card information and all merchants wishing to accept their customers' credit cards must obey their guidelines.

You should only store your customers' data if you have a future use for it. Examples of a valid reason for storing a customer's data would be for recurring billing and making their future checkout process simpler. If you only plan to accept payment from a customer once or in erratic intervals you should not be storing their data.


You can download a copy of several important documents, including the CISP information, from Visa's website. I have provided links to the information below.

Payment Card Industry Data Security Standard
PCI Self Assessment Questionnaire
PCI Security Audit Procedures and Reporting

BlinkList digg Furl linkaGoGo Newsvine reddit Shadows Simpy Tailrank Yahoo! My Web

Rate This Article