This article is part of an Essential Guide, our editor-selected collection of our best articles, videos and other content on this topic. Explore more in this guide:
4. - Bonus content: Events in PCI DSS history: Read more in this section
- Lack of guideline uniformity puts Visa merchants in quandary
- Swiping back: Praise for PCI Data Security Standard
- New PCI Council details changes to Data Security Standard
- TJX breach worse than originally feared
- PCI DSS assessors see lessons in TJX data breach
- First Data CISO calls for PCI DSS changes
- PCI DSS: The bar should not be lowered
- PCI Council adds new standard for payment applications
- In FTC settlement, TJX agrees to 20 years of audits
- PCI SSC launches assessor quality assurance program
- Expert predicts PCI DSS problems for retailers
- Heartland breach highlights PCI DSS limitations
- TJX, Heartland hacker sentenced to 20 years in prison
- PCI DSS 2.0 addresses secure coding, key management
- PCI DSS risk assessment methodology unique to each company
Explore other sections in this guide:
Merchants who accept online payments via Visa credit cards have one week to comply with the credit card giant's security guidelines or face being shut off from accepting Visa traffic. Compliance by May 1, however, may be difficult for large companies who accept payments from both sides of the Atlantic Ocean because of a lack of uniformity in the guidelines between Visa's North American and International divisions, according to Meta Group's vice president and director of global security/security infusion.
"The guidelines work well for small- and mid-sized organizations, but it's a royal mess for large, multinational online merchants who have to comply with both (sets of guidelines)," said Meta Group's Christian Byrnes. "The cost to them may be significant."
Visa, meanwhile, said the disparity is negligible and its vice president of risk management, John Shaughnessy, called it a "non-issue," adding that merchants must adhere to the regulations for their region and that those are the regulations that will apply in multinational transactions.
"The two sets of guidelines accomplish the same thing as far as data security," Shaughnessy said, adding that the North American division worked with International while it was developing its guidelines. "We require all the same things. When you dig into the guidelines underneath and start in on the next level down, that's where there are more details."
Spelling out the differences
The guidelines are similar on many fronts. Both require that online merchants install and maintain a network firewall, keep security patches up to date, encrypt stored data and data sent across an open network, protect networks from viruses, establish policy that prohibits using vendor-supplied defaults for passwords and other security parameters, restrict access to data on a "need-to-know" basis, assign each person a unique ID and validate it when accessing data, track access to data (including read-only) by a unique ID, establish and maintain a policy for employees and contractors and regularly test security systems and procedures.
The major difference rests in International's demand that its merchants use only service providers that meet the established guidelines, a proviso that may narrow the field significantly for merchants.
According to Visa, service providers must come into compliance with each security guideline spelled out by Visa and annually register with the company. The service providers are subject to an inspection by Visa or its third-party transaction test systems provider, Acquirer Systems. Visa said it provides all of its merchants with a list of registered service providers.
Deadline looms for merchants
Now that merchants have less than one week to comply with Visa guidelines, clearing the haze over the disparity becomes imperative. Visa's decision to develop online security guidelines for its member merchants is the first proactive step taken by a credit card giant in this direction.
"It's never been part of their charter to control the operations of their customers. They never believed it was their responsibility," Byrnes said. "What has happened over the last two years, fraud levels and risk absorption have begun to impact them and credit card companies have been forced into action."
Visa North America began putting the components of its compliance program together in October 1999 when the company approved the Cardholder Information Security Program (CISP). By April 2000, the initial guidelines had been established, and by September, initial requirements published. In October, Visa began educational programs for its merchants through workshops, training videos, educational flyers and distance-learning models put into circulation. Visa began rolling out the program in force in February after sending out letters in January requesting information on compliance status from its merchant members. In the interim, Visa North America began working with the International division on its security guidelines.
Initially, the North American compliance program is targeted at Visa's top 100 e-merchants. A Visa study determined that these 100 merchants were responsible for 70% of the e-commerce volume distribution.
In the end, consumers using Visa credit cards online will be the biggest beneficiary, according to Patricia Seybold Group researcher, Jayne Miller, who added that eventually, interest rates may come down as the number of online instances of fraud decreases. However, any costs associated with compliance will be passed along to the consumer, she said.
"What has been done previously is to guarantee to consumers that they are not responsible for fraudulent charges," Seybold's Jayne Miller said. "Now, Visa is going to the merchants and telling them they are going to make sure they are onboard too.
FOR MORE INFORMATION: