Data Protection Guidelines CISP Implementation Documentation
Although the following information will help you to comply with the Cardholder Information
Security Program (CISP), it is important to Visa’s website (http://www.visa.com/cisp) and
review the most up-to-date information available. PCCharge, when implemented according
to CISP guidelines (and when implemented into a secure environment), will not keep a
merchant from being CISP compliant.
1. PCCharge does NOT store credit card magnetic stripe data (track I/II data), so this is
not an issue that would endanger a merchant's CISP compliancy.
2. PCCharge does NOT store credit card CVV2/CVC2/CID data (the verification number
that appears on the front or back of the credit card), so this is not an issue that would
endanger a merchant's CISP compliancy.
3. PCCharge stores credit card numbers (Primary Account Number) and expiration
dates. However, this data is encrypted per a CISP accepted method. Therefore, this is
not an issue that would endanger a merchant's CISP compliancy.
4. If the computer running PCCharge is on a network that has any kind of an Internet
connection, a firewall must used on that network. Even if a firewall is already in place,
ensure that all patches have been installed. Industry standards should be followed for
strengthening the firewall prior to processing financial transactions. Perimeter scans
and intrusion detection are recommended.
5. Printed material documenting sensitive merchant information (Merchant ID, Terminal
ID, etc.) should be safeguarded.
6. Keep software up to date, including (but not limited to): operating systems, e-mail
programs, and Internet browsers. For example, Microsoft security updates and
patches can be downloaded by visiting http://www.microsoft.com/.
7. Use appropriate facility entry controls to limit physical access to systems that store or
process cardholder data. Visa recommends the use of complex passwords to facilitate
a secure environment. Complex passwords are longer than 6 characters and use a
combination of alphanumeric and non-alphanumeric characters. PCCharge provides
users with the ability to use usernames and passwords.
8. PCCharge allows users to purge (delete) transactions from their PCCharge databases
that are older than a configurable amount. The default value is 2556 days (7 years).
You should change this value according to your business's requirements. Some
possible variables that would affect this value include:
• Your merchant service provider's regulations
• Your accountant's advice
• Your local laws
In addition to the Data Protection Guidelines, it is important that merchants review the
information that is available on Visa’s website (http://www.visa.com/cisp) and/or contact
Visa directly for more information regarding CISP compliance.
12