Account Information Security, or AIS, is a Risk Management program designed to protect sensitive account and transaction information in the Visa payment system. It protects the interests of all payment participants, including Visa issuers and acquirers, merchants and cardholders - in both the physical and virtual worlds.
In 2004, the AIS requirements were incorporated into an industry standard known as Payment Card Industry (PCI) Data Security Standards, or PCI DSS, resulting from a co-operative effort between Visa and the other major payment card brands to create common industry security requirements.
Effective September 2006, the PCI Security Standards Council ("PCI SSC") owns, maintains and distributes the PCI DSS and all its supporting documents. However, Visa maintains the AIS program as the managing program for data security (based on PCI DSS) compliance enforcement and validation initiatives.
Who does AIS program apply to?
The AIS program is a requirement for all entities participating in the Visa payment system i.e. those entities that process, store or transmit Visa cardholder account and/or transaction information, including merchants, processors and payment service providers.
What are the benefits of the AIS program?
By implementing and adhering to the Payment Card Industry Data Security Standards (PCI DSS) requirements, you will be taking an important step towards protecting your customers' information from potential security breaches and fraud.
As well as protecting your customers, appropriate data security measures limit your risk exposure and minimizes the potential losses and operational expense that stem from compromised cardholder account information.
The AIS program can help you:
- Promote your brand's integrity and boost consumer confidence in your business
- Boost sales and business due to increased consumer confidence
- Protect you against potential security breaches and unwanted investigative and legal costs
- Reduce the risk of data compromise, fraud and the resulting unwanted media attention
- Provide you with greater awareness of security measures and preventative options available
- Reduce cardholder disputes and associated costs
What are the Payment Card Industry Data Security Standards (PCI DSS) requirements?
PCI DSS compliance is required of all merchants and service providers that store, process, or transmit Visa cardholder data and applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce.
At a basic level, PCI DSS consists of 12 key requirements for protecting Visa cardholder account and transaction information:
Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
Please click here for the complete PCI DSS.
How do I validate PCI DSS compliance?
To check whether your organization meets the PCI DSS requirements, you should complete the following validation tasks:
|1. Self-Assessment Questionnaire|
|The PCI SSC offers the PCI DSS Self-Assessment Questionnaire (SAQ) as a validation tool intended to assist merchants and service providers to self-evaluate their compliance with PCI DSS. There are four versions of the PCI DSS SAQ to choose from to meet your business need. Please click here for the SAQ.
Merchants and service providers should perform the self-assessment using the SAQ at least once a year.
|2. Vulnerability Scan|
|The Vulnerability Scan is an automated tool that conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the merchant/service provider.
The scan tool used must be a PCI SSC Approved Scanning Vendor (ASV). Please click here to view the list of ASVs. Scans must be performed on a quarterly basis at minimum.
|3. Onsite Review
|The most comprehensive method of validating your PCI DSS compliance is to have an annual on-site PCI Data Security Assessment by a PCI SSC Qualified Security Assessor (QSA). To view the list of accredited QSAs, please click here.
Visa has prioritized and defined levels of compliance validation based on the volume of transactions, the potential risk, and exposure introduced into the payment system by merchants and service providers.