Under new MasterCard and Visa rules, retailers who store card data anywhere for any length of time will be responsible for data security. Here’s what retailers need to know to meet those rules.
Payment security has typically meant one thing to retailers and payments processors-protecting credit card or other payment data while it is being transmitted during a sale. A lot of time and money have been put into protecting credit card data while it is being passed around among the customer, the retailer, a payments processor and the bank that issued the card.
But not as much effort has been spent in protecting customer-related payments data stored in back-office computers by the retailers or their hired third-party processors. Outside of building a few firewalls, a lot of retailers don’t take the extra steps to protect customer files.
The problem, however, is that a breach of security in this stored data can be much more devastating than the compromising of a single card, as some online retailers learned when their databases were hacked. A criminal who is able to capture one sale transaction and obtain the customer’s card number has one account to victimize. But a criminal who breaks into a retailer’s database and gets customers’ names and card numbers has hundreds-maybe even thousands-of potential victims.
“The numbers relating to fixing the damage once there has been a security violation are huge,” says Earle Humphreys, executive vice president of Solutionary, an Internet security technology firm. “It costs about $2 million per incident to repair the damage of a violation once you factor in the cost to the financial institutions to reissue cards to all the affected customers and the cost to the retailer to fix the problem. And that’s in addition to any actual fraud losses due to criminals making purchases with those card numbers.”
Card companies, retailers and processors have been well aware of the risk since the dawn of online retailing. Now, something is going to be done about the risk. Retailers have been put on notice by two security mandates from Visa and MasterCard-and both mandates require at least the largest retailers to prove they are security compliant by this fall. Visa’s Cardholder Information Security Program and MasterCard’s Site Data Protection require retailers, their third-party processors and anyone else who handles sensitive card data to meet specific requirements relating to the protection of payment data.
While these mandates relate to data both in transmission and in storage, it is the latter that is getting the most attention from retailers and processors. Most retailers already have been encrypting data that is sent over public networks. And most have built firewalls to protect stored data. But these requirements take the security of stored data to a higher level. And the mandates are getting retailers to take a second look at how they secure all customer data-even information that doesn’t relate to credit cards.
Starting to ramp up
While the new protection may be costly-especially to smaller retailers-many security experts believe these mandates will force retailers and payments processors to do a better job of protecting customer data. “There has been very little encryption of stored data until now,” says Avivah Litan, a consultant with Gartner Inc. “Less than 20% of such card information today is encrypted.”
With Visa’s deadline approaching for large retailers to prove compliance, many retailers are scrambling to meet the mandates. “Retailers have really started to ramp up during the last six months,” Litan says. “I was at a security conference in June with about 500 to 600 retailers and I asked how many were working on CISP and SDP and most of the hands went up.”
Visa first announced its CISP program in April 2000 and it is requiring that the largest retailers, those with more than 6 million Visa transactions annually, be able to prove their compliance by Sept. 30. The next tier of retailers, those with 500,000 to 6 million transactions, must be in compliance by March 31, 2005. Plans for smaller retailers’ compliance must be developed by the Visa members individually. Industry sources say, however, that Visa has given extensions to some large retailers if they have shown progress on the effort. Visa executives won’t confirm that any extensions were indeed given.
MasterCard’s SDP required its largest retailers to be compliant in June. Its mandates also relate to protecting the security of card information as it relates to fraud, customer privacy and customer safety.
A collaborative effort
Ultimately, the associations are holding their members-that is, the financial institutions that sponsor the retailers into the Visa and MasterCard network-responsible for making sure their retailers and processors are compliant. If not, Visa members could face fines up to $500,000 per incident when data security is breached. Still, the burden of actually developing and implementing a plan for compliance falls largely on the retailers and the processors that handle the data for the retailers.
“The onus for getting compliant is shared by the retailers, the processors and the acquirers,” says Angela Brown, executive vice president for client relations for Vital Processing Services, a Tempe, Ariz.-based processor of payment transactions that has been certified for compliance by both associations. “Getting an individual merchant to be in compliance usually is a collaborative effort.” Vital has been working on this effort for about two years, Brown says.
But even more parties than the retailer and its processor are affected by the mandates. “Anyone who touches, stores or transmits payment in any way is responsible for making sure they comply with this program,” says John Shaughnessey, senior vice president of fraud prevention for Visa. Among others that are affected are web hosting sites and security companies involved with credit card payments.
Humphreys says the task for large online retailers won’t be that different from what large offline merchants face. The big difference will occur for smaller online merchants. Because Visa is leaving it up to the acquirers to decide which measures the smaller players need to take-then hold the acquirers accountable if something goes wrong-these acquirers are likely to prioritize their merchants based on perceived risk. “Because online retailers send all transactions over the Internet and keep a lot of customer information on file, they’re likely to face a lot more scrutiny from the acquirers,” Humphreys says. “An online record store, for example, is going to face a ton more scrutiny than a regular record shop even if they have similar sales volume. They’re going to have a lot more questions to answer about their security measures and what they’re doing to keep hackers from getting in.”