BOSTON - Visa's edict that merchants currently accepting online payments with Visa credit cards come into compliance with the company's 12 security guidelines by May 1 is not as arduous a task as it may seem on the surface, an IT researcher said.
"It doesn't look like companies will have to do much work to come into compliance. None of these requirements seems especially daunting to any reasonable merchant," said research associate Jayne E. W. Miller of the Patricia Seybold Group. "Visa is not doing anything untoward. If anything, they are giving their customers confidence in doing business with these merchants."
As customer credit card numbers continue to fall victim to cybercriminals, Visa's plan to bring merchants in line with a specific set of guidelines is the first proactive step taken by a credit card giant.
"Companies have probably been reluctant in the past to say to merchants, 'You have to do it our way.' End customers demand that kind of service," Miller said. "Visa is probably responding to their customers. It's an incentive for merchants to participate, as well. I expect MasterCard and American Express and others may soon follow suit."
Visa vice president of risk management, John Shaughnessy, told a gathering of security experts this week at the e-Security Conference here that Visa's decision to make these demands of merchants is in defense of its brand.
" If you hold Visa data, you've got to keep it secure," Shaughnessy said. "We hadn't been telling our merchants how to do that until now. We had to create a performance baseline, provide education and best practices, develop the capability to monitor compliance and create a remediation process for those identified as not meeting the requirements.
"We want people to feel safe doing e-commerce. We don't want to kill it. We want to enable business and create a lot of profit for everyone."
Top 100 e-merchants targeted first
Visa's threat to stop taking traffic from merchants not in compliance by May 1 is not etched in stone, Shaughnessy said.
"We expect everyone to be in compliance. If they are not, we have to understand why, then deal with those circumstances," Shaughnessy said. "You won't be shut down on May 1."
The genesis of Visa's compliance program harkens to October 1999 when the company approved the Cardholder Information Security Program (CISP). By April 2000, guidelines had been established, and by September, initial requirements published. In October, Visa's educational programs began with workshops, training videos, educational flyers and distance-learning models put into circulation. Visa began rolling out the program in force in February after sending out letters in January requesting information on compliance status from its merchant members.
Shaughnessy said Visa decided to roll out the program with its top 100 e-merchants, who Visa determined were responsible for 70% of the e-commerce volume distribution. Shaughnessy said some of those top 100 have yet to respond to Visa's compliance-status letter.
"May 1 is the deadline for compliance and we're sticking to it," he said.
Shaughnessy said Visa initially identified 10 security requirements, but that list has grown to a dozen in response to changes in the online environment. He added that it may continue to grow. The requirements are:
- Install and maintain working firewall to protect data
- Keep security patches up to date
- Encrypt stored data
- Encrypt data sent across open networks
- Use and regularly update anti-virus software
- Assign unique IDs to each person with computer access to data
- Don't use vendor-supplied defaults for password and security
- Track access to data, including "read only," by unique ID
- Regularly test security systems and processes
- Implement a management policy that addresses information security
- Restrict physical access to information
"The point here is that security is a process. You can be compliant now, but in six months you may not be," Shaughnessy said. "We are not trying to kill e-commerce. Our interest is not to shut people down. If someone is negligent or belligerent about it, we will take a different tact with them. You don't pass our requirements, we don't want you taking a Visa card. With the brand impact involved, that's the stand we have to take.
Consumers' best interest at heart
Seybold researcher Miller said that Visa's plan is a positive step for consumers because credit card companies may eventually be able to offer lower interest rates if the cost of fraud to companies like Visa decreases, although merchants that have to upgrade their systems will ultimately pass those costs on to customers, Miller said.
"Visa may lose a few (merchant) customers (who choose not to comply), but probably not that many," Miller said. "Companies will want to have guidelines spelled out for them. Companies can use these guidelines as a punch list for themselves."
Shaughnessy said Visa will continuously monitor for compliance and use a third party for confirmation of compliance. Should a hack take place, Visa will monitor the investigation along with a third-party transaction test systems provider, Acquirer Systems. Any merchants failing to notify Visa of a successful or attempted hack are subject to a $100,000 fine, Shaughnessy said. Monitoring includes perimeter testing, site reviews and server testing, he added.
"What has been done previously is to guarantee to consumers that they are not responsible for fraudulent charges," Miller said. "Now, Visa is going to the merchants and telling them they are going to make sure they are onboard too.
"Visa and MasterCard have a lot of power. They can do this."
FOR MORE INFORMATION: