Here's the basic information:
http://usa.visa.com/business/merchants/cisp_index.html
With an interim pdf questionnaire/checklist at
http://usa.visa.com/media/business/cisp/ComplianceQuestionnaire.pdf
However, it's actually pretty weak. The fines are stiff, but since I assume they don't want to shut down so many customers, the requirements as suggested or implied in these two docs (the final statement of requirements hasn't been posted) put up a show, but not much more.
The two suggest (but don't seem to require?) that there should be a NAT firewall between the machine and the net, that your machine be kept up to date, and that passwords are stored encrypted, cc info stored encryped that you have various security policies in place and basically that you use SSL for any communication transmitting cc information. It's not clear if telnet or rlogin are allowed (but which ACS user is still accepting them for incoming connections?)
IANAL, but it appears an openssl des3 encryption, ns_openssl, some form of firewall including a SOHO NAT router and a bunch of policies will do the trick.
Who needs the CVV2 (the 3 digits on the back of the card) information? Verisign's payment gateway sure doesn't, so there's no need to store it in the db.
Thanks for pointing this out. I will use des3 and not bf, and I will point the document and the fines along to the client.
