What is Account Information Security?

What is the Account Information Security (AIS) program?

Account Information Security, or AIS, is a Risk Management program designed to protect sensitive account and transaction information in the Visa payment system. It protects the interests of all payment participants, including Visa issuers and acquirers, merchants and cardholders - in both the physical and virtual worlds. 
 
In 2004, the AIS requirements were incorporated into an industry standard known as Payment Card Industry (PCI) Data Security Standards, or PCI DSS, resulting from a co-operative effort between Visa and the other major payment card brands to create common industry security requirements.
 
Effective September 2006, the PCI Security Standards Council ("PCI SSC") owns, maintains and distributes the PCI DSS and all its supporting documents. However, Visa maintains the AIS program as the managing program for data security (based on PCI DSS) compliance enforcement and validation initiatives.

Back to top

Who does AIS program apply to?

The AIS program is a requirement for all entities participating in the Visa payment system i.e. those entities that process, store or transmit Visa cardholder account and/or transaction information, including merchants, processors and payment service providers.

Back to top

What are the benefits of the AIS program?

By implementing and adhering to the Payment Card Industry Data Security Standards (PCI DSS) requirements, you will be taking an important step towards protecting your customers' information from potential security breaches and fraud.  
 
As well as protecting your customers, appropriate data security measures limit your risk exposure and minimizes the potential losses and operational expense that stem from compromised cardholder account information.
 
The AIS program can help you:

  • Promote your brand's integrity and boost consumer confidence in your business
  • Boost sales and business due to increased consumer confidence
  • Protect you against potential security breaches and unwanted investigative and legal costs
  • Reduce the risk of data compromise, fraud and the resulting unwanted media attention
  • Provide you with greater awareness of security measures and preventative options available
  • Reduce cardholder disputes and associated costs

Back to top

What are the Payment Card Industry Data Security Standards (PCI DSS) requirements?

PCI DSS compliance is required of all merchants and service providers that store, process, or transmit Visa cardholder data and applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce.

At a basic level, PCI DSS consists of 12 key requirements for protecting Visa cardholder account and transaction information:

Build and Maintain a Secure Network

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
  1. Protect stored cardholder data
  2. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerablility Management Program
  1. Use and regularly update anti-virus software or programs
  2. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
  1. Restrict access to cardholder data by business need-to-know
  2. Assign a unique ID to each person with computer access
  3. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes
Maintain an Information Security Policy
  1. Maintain a policy that addresses information security
The PCI DSS was designed to protect the confidentiality, availability and integrity of customer data. The Standards represent the key requirements for handling or managing Visa account information.

Please click here for the complete PCI DSS.

Back to top

How do I validate PCI DSS compliance?

To check whether your organization meets the PCI DSS requirements, you should complete the following validation tasks:

1. Self-Assessment Questionnaire
The PCI SSC offers the PCI DSS Self-Assessment Questionnaire (SAQ) as a validation tool intended to assist merchants and service providers to self-evaluate their compliance with PCI DSS. There are four versions of the PCI DSS SAQ to choose from to meet your business need. Please click here for the SAQ.

Merchants and service providers should perform the self-assessment using the SAQ at least once a year.
2. Vulnerability Scan
The Vulnerability Scan is an automated tool that conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the merchant/service provider.

The scan tool used must be a PCI SSC Approved Scanning Vendor (ASV). Please click here to view the list of ASVs. Scans must be performed on a quarterly basis at minimum.
3. Onsite Review
The most comprehensive method of validating your PCI DSS compliance is to have an annual on-site PCI Data Security Assessment by a PCI SSC Qualified Security Assessor (QSA). To view the list of accredited QSAs, please click here.

Visa has prioritized and defined levels of compliance validation based on the volume of transactions, the potential risk, and exposure introduced into the payment system by merchants and service providers.

  • For AIS compliance validation requirements for Merchants, please click here.
  • For AIS compliance validation requirements for Service Providers, please click here.

Back to top