1. Install and maintain a working network firewall to protect data accessible via the Internet.
2. Keep security patches up-to-date.
3. Encrypt stored data.
4. Encrypt data sent across networks.
5. Use and regularly update anti-virus software.
6. Restrict access to data by business "need to know." 
7. Assign a unique ID to each person with computer access to data. 
8. Don't use vendor-supplied defaults for system passwords and other security parameters.
9. Track access to data by unique ID.
10. Regularly test security systems and processes. 
    
    An additional two requirements address administrative and physical security issues:
    
11.  Maintain a policy that addresses information security for employees and contractors.
12. Restrict physical access to cardholder information.

These top-level principles apply to all entities participating in the Visa payment system that process or store cardholder information and have access to it though the Internet or mail-order/telephone-order.

Further information about this program can be obtained from Visa's Merchant Resource Center. Click here to download a copy of the Cardholder Information Security Program (cisp55.pdf file 274K). . 

Adobe Acrobat 3.0 is required for viewing PDF documents. Download the free Adobe Acrobat Reader to view (browse) and print these specifications.