Visa Launches Account Information Security Programme To Protect Cardholder Data
Compliance with global standards for all participants in Visa’s payment system
Visa International today launched a programme to protect all Visa cardholder account and transaction information by
preventing unauthorized disclosure or modification of the data. Visa’s Account Information Security (AIS) programme is
designed for all entities that process, store or transmit Visa cardholder account and transaction information.
Merchants, processors and Internet payment service providers in Visa’s acceptance chain must comply with the AIS
programme to ensure that their data security measures are robust and stringent enough to safeguard sensitive customer
data. To help facilitate compliance with the programme, AIS is providing online assessment and validation tools.
Through the AIS web site at www.visa-asia.com/secured, merchants and their service providers can assess their own
vulnerability to Internet hacking or other security breaches. The online self-assessment tool is free of charge and the
business’ input will be kept confidential with analysis of the self-assessment questionnaire being undertaken by third
party information security specialists. The results of the test will help the businesses identify and improve their
security and risk management processes to better protect customer data.
AIS’ online accessibility makes it easier for the parties handling Visa cardholder information, to implement and enforce
the industry-setting security standards and for Visa’s members to monitor compliance with the programme. AIS standards
comprise 15 security controls to ensure that a business’ organizational, physical and logistical areas maintain the
confidentiality, availability and integrity of sensitive account and transaction data. The 15 mandatory requirements
help protect data throughout the entire life cycle of a transaction, focusing on critical security areas such as human
resource, access, firewalls, virus protection, data disposal, encryption and physical security. These requirements are
based on industry standards and best practices.
Visa has appointed Qualified Security Assessors to help larger merchants and processors review their operations against
the AIS standards. The assessors will provide consultancy services and help the larger, more sophisticated merchants and
processors validate their compliance. Visa has also engaged a security firm – Dimension Data - to provide vulnerability
scanning – a non-intrusive scan that does not disrupt merchants’ systems, but is able to identify areas where a hacker
may possibly penetrate the system. By identifying the vulnerabilities in its network, a merchant or processor can then
take the necessary corrective and preventive actions to manage the risk.
Belinda Leonard, Country Manager for Visa Zealand, said: ”Protection of account and transaction data makes absolute
business sense as it builds consumer trust and confidence. Compliance with AIS standards, put within easy reach of
merchants and processors, will enable them to protect themselves and their customers’ data from possible loss or theft
by hackers or unscrupulous employees. Such incidents create negative publicity and affect their bottom line. Consumer
trust and confidence translate into increased business, and naturally more and more merchants see the value and
competitive edge that AIS-compliance gives to them."
She added that poor data protection practices placed the entire e-commerce industry in a vulnerable position – an
account compromise at one e-commerce merchant can result in fraudulent activity at other merchants, “This is why Visa
has set the global standard to protect the interests of all payment participants from threats against their websites,
servers and IT systems,” Ms Leonard said. “Visa was the first in the industry to create such a programme and will
continue to maintain its aggressive approach to every aspect of fraud prevention, detection and recovery.“
The test phase of the AIS programme in Asia-Pacific began in late 2003, with a key focus on e-commerce merchants.
Working with its member financial institutions around the region, Visa is now stepping up the validation and education
of processors and service providers which might have greater exposure to possible account compromise.
AIS is a key part of Visa’s Global Secure e-Commerce strategy and complements the ‘Verified by Visa’ programme. Verified
by Visa authenticates the cardholder during the transaction, while AIS protects the cardholder information during
subsequent processing and storage.