Personal Cardholder Information
Visa focuses on securing cardholder data wherever it is stored. Security is a shared responsibility; Visa insists that financial institutions, merchants and service providers have in place appropriate layers of security to protect cardholder data and reduce the potential for fraud.
An Industry United
In 2006, Visa led the industry establishment of the Payment Card Industry Security Standards Council (PCI SSC), an open global forum to maintain data security standards. The council is a cooperative effort to align payment network security requirements under a single framework.
PCI SSC standards include:
- PCI Data Security Standard (PCI DSS) — applies to any entity that stores, processes and/or transmits cardholder data.
- PCI PIN Transaction Security (PCI PTS) Requirements — apply to any entity that processes or transmits PIN data at ATMs and point of sale terminals.
- Payment Application Data Security Standard (PA-DSS) — applies to software developers and integrators of applications that store, process or transmit cardholder data as part of authorization or settlement.
Encouraging Compliance
To encourage all participants to secure cardholder data, we have implemented incentives to promote standards compliance. More than 95 percent of the largest U.S. merchants have validated compliance with PCI DSS. To date, no breached entity has been compliant with standards at the time of compromise.
We have also made considerable strides toward eliminating the storage of authorization data by merchants and processors, a vulnerability that criminals try to exploit to perpetrate fraud. This “prohibited” data includes full magnetic stripe information, CVV2 or “Card Verification Value 2” numbers and PIN codes.
Integrating Security Into Small Businesses
For small businesses, Visa partnered with the U.S. Chamber of Commerce to encourage merchants to eliminate storage of prohibited data through a national education campaign called “Drop the Data.” Additionally, Visa developed payment application security mandates to reduce data storage and provide more secure payment application products for merchants.
Our efforts have been rewarded. We have seen global fraud rates fall and hold near historic lows. And when data compromises do happen, the vast majority of accounts thought to have been exposed do not actually experience any fraud.
Investing and Evolving
Criminals never stop, and threats will evolve, which is why Visa invests in new technologies and innovations — from encryption of data to chip technologies — to stay one step ahead. We encourage continued exploration of new ways to protect payment card data, especially when they render stolen data useless for perpetrating fraud.
