Card Vendor Program - Visa Asia Pacific

Understanding Key Issues andChanges to Card Vendor Program

Key Issues1. Completion and Delivery of :A. Pre-Engagement Questionnaire• Timeliness• Card Samples are not punchedB. Action Plan and Assessment Tracker• Reminders sent by Visa• When tracker is returned for further improvement,vendor amends remediation action plan and/orremove Visa comments• Visa confidential emails are not encrypted• Huge attachments should be sent by filingattachments in CD ROM and files encrypted.Information Classification Visa Confidential as Needed55

Key Issues2. Tiering Template• Timeliness• Unable to understand the “Annual Quantity of Visa cardsstored in the vault from January to December XXXX• Vendors collate different facilities’ statistics into onespreadsheet.• No signature on the approval column3. Cases of Noncompliance (Section 1.3.E.1)• Failure to pay annual fee• No business activity during the previous 12-monthInformation Classification Visa Confidential as Needed66

Changes and Updates1. Card Vendor Program• Management of the card vendor program for vendorsbased in Asia Pacific (AP) and Central Europe MiddleEast Africa will be handled in Singapore2. Generic Email• As Visa is now one single organization, effectiveimmediately the generic email is changed fromapsgpcardvendor@visa.com tovendorcompliance@visa.comInformation Classification Visa Confidential as Needed77

Changes and Updates3. Registration• In the event of any addition/amendment, registration andapproval will be managed from Singapore as follows:– Third Party Agent– Designated Officer Responsible for Ordering of Hologram– Shipment of indent print from personalization supplier4. Visa Product Standards• In the event of account being locked or request for access for anew user, an automatic request will be generated and sent toVisa Singapore for approval.• Do not use generic email or hot mail address to request foraccess to Visa product standards as it will be rejectedInformation Classification Visa Confidential as Needed88

Changes and Updates5. Merger of Entities/Shareholders/Change in Management• Inform Visa of merger and/or change with an official letter.• Visa will request for current audited financials to conduct afinancial litmus test• In the event of change in entity’s name, a revised SecurityAgreement will be drawn up6. Registry of Service Providers• Registered service providers are listed on publicly-accessiblewebsite at http:/www.visa-asia.com/spregistry and accessible toVisa members and service provider• There is no change to website’s address• Vendors to inform Visa in the event of change/addition incategory and contact personInformation Classification Visa Confidential as Needed99

Card Vendor Workshop

Card Vendor Workshop?Purpose• Our goal is that the knowledge gained throughout the workshopwill enable potential vendors to understand where your businessfits into the card vendor program• Existing vendors can be in full compliance with the Visa SecurityStandardsInformation Classification Visa Confidential as Needed 11

Card Vendor Workshop?Who Can Register?• Any potential vendor wishing to join the Card Vendor Programin the category as a :– Card Manufacturer– Mag Stripe and/or IC Personalizer– IC Pre-Personalizer– IC Embedder• Existing card vendors who wish to learn indepth knowledge of thephysical and security standards and improve to meet the program’scompliance requirementsInformation Classification Visa Confidential as Needed 12

Card Vendor Workshop?Registration Form• Available in English, Mandarin and Japanese• If a vendor wishes to enroll, complete registration form in Englishand return by fax, scanned copy to vendorcompliance@visa.comand cc ang@visa.comInformation Classification Visa Confidential as Needed 13

Card Vendor Workshop?Benefits• Ideal opportunity to learn all about Visa Security Standards forboth physical and logical security standards.• Card vendors can identify and examine weaknesses and improve onsecurity standards• Workshop can be customized in-house• Trained by Visa experts knowledgeable in the field of securityInformation Classification Visa Confidential as Needed 14

THANK YOU

Understanding Key SecurityIssues to the Card VendorProgram

Key Issues• Network Security• Deploy properly configured firewalls between;– Internet and Internet-facing network (DMZ)– Internet-facing network (DMZ) and data processing network– Data processing and personalization network (unless both are insame high security area or on same network)• Isolate personalization and data processing network from othernetworks• Transfer deposited files into the data processing or personalisationnetwork immediately• Perform quarterly internal vulnerability scanning• Perform quarterly external vulnerability scanningInformation Classification Visa Confidential as Needed 17

Key Issues• Data SecurityInformation Classification Visa Confidential as Needed 18

Key Issues• Protecting stored data– Move cardholder information to a secure system after receipt– Decrypt cardholder data for the minimum time required forprocessing– Encrypt stored cardholder data (including data on databaseservers, portable media, backup tapes and logs)– Mask all card account numbers (unless there is requirement to seethe full card numbers)– Delete cardholder data on the personalization machine upon jobcompletionInformation Classification Visa Confidential as Needed 19

Key Issues• Audit and accountabilityMaintain accurate audit trail which can help to establish ownership ofthe records, e.g.– Record audit trails for production job activities– Record movements of cards and components– Sign off, date and time the completion of task (e.g. review,acknowledgement and handover)– Maintain dual control of storage and card destruction– Physical inventory to be carried out under dual control– ‘In the blind’ inventoriesInformation Classification Visa Confidential as Needed 20

Key Issues• Making security systems work for you– Training of the security guards in systems and surveillancetechniques– Reporting and recording of unusual activity– Formal escalation process– Investigating unusual events– Remediation– Accurately dating and timing events– System time synchronizationInformation Classification Visa Confidential as Needed 21

Key Issues• Shipping of Card Consignments– At least 24 hours before shipping, establish an identification methodto identify and verify shipment carrier– Obtain issuer approval for transportation schedule and confirmationthat their authorized staff will receive consignment at destination– Use either dual control armored car, secure air freight or dualcontrol vehicle with accompanying vehicle (No volume restriction)– Airfreight must be via the highest level of secure cargo available– Traceable overnight courier for a maximum of 500 cards perpackage per day per issuer.Information Classification Visa Confidential as Needed 22

Thank You!Information Classification Visa Confidential as Needed 23