---------------------------------------------------------------------------------------------------------------------------------------------------------------
SECURING VISA CARDHOLDER DATA

Aloha POS version 5.3.15
Has been verified against the PCI Data Security Standards and Visa CISP Best Practices
by an independent third party.

When customers offer their bankcard at the point of sale, they want assurance that their
account information is safe. That’s why Visa USA has instituted the Cardholder Information
Security Program (CISP). Mandated since June 2001, the program is intended to protect
Visa cardholder data—wherever it resides—ensuring that members, merchants, and service
providers maintain the highest information security standard.

 How CISP compliance works
CISP compliance is required of all merchants and service providers that store, process, or
transmit Visa cardholder data. The program applies to all payment channels, including retail
(brick-and-mortar), mail/telephone order, and e-commerce. To achieve compliance with CISP,
merchants and service providers must adhere to the Payment Card Industry (PCI) Data Security
Standard, which offers a single approach to safeguarding sensitive data for all card brands. This
Standard is a result of a collaboration between Visa and MasterCard and is designed to create
common industry security requirements, incorporating the CISP requirements. Other card
companies operating in the U.S. have also endorsed the PCI Data Security Standard within their
respective programs.

Using the PCI Data Security Standard as its framework, CISP provides the tools and measurements
needed to protect against cardholder data exposure and compromise across the entire payment
industry. The PCI Data Security Standard consists of twelve basic requirements supported by more
detailed sub-requirements:

CISP compliance validation
Separate and distinct from the mandate to comply with CISP requirements is the validation of
compliance. It is a fundamental and critical function that identifies and corrects vulnerabilities,
and protects customers by ensuring that appropriate levels of cardholder information security are maintained. Visa has prioritized and defined levels of CISP compliance validation based on the volume
of transactions, the potential risk, and exposure introduced into the Visa system by merchants and
service providers.

Why comply?
By complying with CISP requirements, Visa members, merchants, and service providers not only
meet their obligations to the Visa payment system, but also build a culture of security that benefits
everyone.

Visa regulations
The Visa USA Operating Regulations govern the activities of member financial institutions and,
by extension, merchants and service providers as participants in the Visa payment system.
The simplified requirements presented here should help clarify the intent of the more formal
regulations.

Member CISP responsibilities
Members are responsible for ensuring the CISP compliance of their merchants, service providers,
and their merchants' service providers. Although there may not be a direct contractual relationship
between merchant service providers and acquiring members, all members remain responsible for
any liability that may occur as a result of CISP non-compliance. Acquirers must include a CISP
compliance provision in all contracts with merchants and Nonmember agents.

Disclosure of cardholder infomation
Issuers, acquirers, and merchants may disclose Visa transaction information only to service providers approved by Visa (i.e., those who support a loyalty program or provide fraud control services).

To receive Visa approval, a service provider must comply with the CISP requirements. Additionally,
a member that discloses or allows its merchants to disclose Visa transaction information to a third
party that has not demonstrated CISP compliance will be subject to the program fines and penalties.

CISP compliance penalties
If a merchant or service provider does not comply with the security requirements or fails to rectify
a security issue, Visa may:

·         Fine the acquiring member

·         Impose restrictions on the merchant or its agent, or

·         Permanently prohibit the merchant or its agent from participating in Visa programs

Members receive protection from fines for merchants or service providers that have been
compromised but found to be CISP-compliant at the time of the security breach. Members are
subject to fines, up to $500,000 per incident, for any merchant or service provider that is
compromised and not CISP-compliant at the time of the incident.

Loss or theft of account information
A member or the member's service provider, or a merchant or the merchant's service provider
must immediately report the suspected or confirmed loss or theft of any material or records that
contain Visa cardholder data.

If a member knows or suspects a security breach with a merchant or service provider, the member
must take immediate action to investigate the incident and limit the exposure of cardholder data.

If a Visa member fails to immediately notify Visa USA Fraud Control of the suspected or confirmed
loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000
per incident.

Additional fines may be levied for exceptional circumstances where the violation presents immediate
and substantial risks to Visa and its members.