Account Information Security

At Visa, we are committed to working with merchants like you to protect the customer trust you have worked hard to build for your business. However, in this day and age of internet and wireless technology, hackers are always looking for ways to steal payment card data.

When you store customer payment card information without up-to-date data security that is compliant with Payment Card Industry (PCI) standards, you put your entire business at risk.

The safest thing you can do is to not store sensitive cardholder data.

Click here to find out more about how you can Drop the Data.

If you do need to store cardholder data, it is important that you take the necessary measures to ensure it is secure. Visa operates Visa Account Information Security (AIS), a global program dedicated to helping you prevent and detect threats before you are exploited.

The Visa AIS program will provide you with greater awareness of the security measures and preventive options available, and help you reduce the risk of data compromise, cardholder disputes and associated costs for your business.

What is the Visa Account Information Security (AIS) program?
As part of our commitment to protect cardholder data and uphold the integrity of the Visa payment system, Visa operates AIS, a globally mandated program that focuses on helping merchants and agents improve their data security measures to safeguard Visa cardholder account and transaction information – wherever it resides.

The program aims to eliminate unnecessary data storage, and ensure that entities that store, process or transmit Visa cardholder data are doing so in accordance with the Payment Card Industry Data Security Standards (PCI DSS).

Click here to access the Visa AIS Toolkit.

What are the benefits of the AIS program?
The AIS program can help you:

  • Promote your brand’s integrity and boost customer confidence
  • Boost sales and business due to increased customer confidence
  • Protect you against potential security breaches and unwanted investigative and legal costs

How does Visa AIS work?
All entities that participate in the Visa payment system are required to comply with the PCI DSS requirements. To check whether your organization meets these standards, you should complete the following validation tasks:

Self-Assessment Questionnaire
The PCI SSC offers the PCI DSS Self-Assessment Questionnaire (SAQ) to help merchants self-evaluate their compliance with PCI DSS. Please click here for the SAQ.
  Merchants should perform the self-assessment using the SAQ at least once a year.
Vulnerability Scan
The Vulnerability Scan enables you to assess your level of security from potential threats. It is an automated tool that conducts a non-intrusive scan on your networks and web applications.
  The scan must be performed on a quarterly basis at minimum, and conducted by an Approved Scanning Vendor (ASV). Please click here to view the list of ASVs.
Onsite Review
The most comprehensive method of validating your PCI DSS compliance is to have an annual on-site PCI Data Security Assessment by a PCI SSC Qualified Security Assessor (QSA). To view the list of accredited QSAs, please click here.

Visa has prioritized and defined levels of compliance validation based on the volume of transactions and the potential risk and exposure introduced into the payment system by merchants.

For AIS compliance validation requirements for Merchants, please click here.

Click here to find out what you should do to prepare for and what action to take, should your organization suffer an information security breach.

What are the Payment Card Industry Data Security Standards (PCI DSS) requirements?
The PCI DSS was developed to enhance cardholder data security and facilitate consistent data security measures globally. PCI DSS comprises a basic set of technical and operational requirements for protecting cardholder data, and may be enhanced with additional controls and practices to further mitigate risk. PCI DSS applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers and agents, as well as all other entities that store, process or transmit cardholder data.

Below is an overview of the 12 PCI DSS requirements:

Click here for more information about PCI DSS requirements.

All merchants are categorized into four merchant levels based on Visa transaction volume over a 12-month period. Click here for more information about merchant levels.