(Page 2 of 4)
Acquirers will be asking online retailers how they connect to the Internet, what type of servers they use and how they retain data. Retailers, in turn, should evaluate their processors’ security measures by asking to see their certification reports from Visa and MasterCard and asking about specific measures they have taken to ensure compliance.
Retailers should also ask their acquiring banks what they will need to do in the near future and who will bear the costs. And they should ask for recommendations on which technology companies to work with to ensure compliance.
Humphreys says small retailers may also get a group discount rate on services by going through the acquirer. “Most acquirers have not looked at the Tier 3 merchants yet and by trying to negotiate a plan now, retailers may find they are in a better negotiating stance at getting the acquirers to help share more of the cost than they will be able to negotiate later when the acquirer has its plans set in stone,” Humphreys says.
Many of the smaller retailers have also been the most lax in meeting accepted security measures to date. “Most of the largest retailers recognized years ago that the core of their business rests in their ability to protect customer information. Most of them have taken proactive steps from the beginning to protect this data. Some of the other retailers have not been as thoughtful and they now have to take a closer look at what they need to do,” says Joseph Patanella, president and COO of Annapolis, Md.-based TrustWave, a firm that provides technology to meet the Visa and MasterCard mandates and is also a certified assessor.
Visa has 12 general requirements (see chart) with 130 subrequirements that must be met. To prove they are in compliance, retailers and processors must be certified by an independent company approved by Visa for this program. Additionally, these requirements are expected to evolve as technology and e-commerce evolve. “Security is not an event; it is an on-going process,” says Shaughnessey. “Our requirements may change over time. If new vulnerabilities come to surface that we had not seen before, we are likely to add to the requirements.”
Industry experts say already there have been some changes in the rules to reflect emerging technology. “When Visa first came out with its specifications in 2002, it did not address wireless transmission of data because in 2002 there were not very many merchants that had wireless transactions. But this year, CISP addressed security related to wireless transmission of data,” says Jason Hengels, information security architect for CyberSource Corp. of Mountain View, Calif. CyberSource has been certified for compliance with both programs.
With their deadlines coming up soon, it has been the largest retailers who have been working the hardest to get into compliance. That is important to Visa because these retailers have the greatest number of transactions and therefore have the greatest number of customer accounts at risk.
But while Solutionary’s Humphreys says he has seen a “flurry” of activity from the Tier I and Tier II retailers, little has been done yet with retailers who have fewer than 500,000 annual card transactions. Solutionary is a certified security assessor for both Visa and MasterCard members.
The problem with getting the small retailers in compliance, he says, is that Visa is allowing the financial institutions to develop their own plans for compliance. And that has been complicated because there are so many mom-and-pop shops. “The problem is how to make sure all of them are in compliance,” Humphreys says. “And unlike the big retailers, most don’t have a technical person on staff to figure out a security plan. Many times, their acquirer will send them a report outlining security standards they need to comply with, but the report is quite technical and it is not written in simple English that a retailer could understand.”
Some financial institutions are sending technology companies to install security systems at all retail locations. Many of the retailers do not have point-of-sale terminals that can handle easy downloads of software so a technical expert may have to visit and install security measures at each retail location and that can be costly, Humphreys says. “Let’s say an acquirer bank was responsible for 150,000 retail locations. Even if they installed the rock bottom, lowest-price system, it would still cost at least $100 per merchant location to install,” Humphreys says. “That’s a minimum cost of $15 million.”
The alternative for financial institutions is not to ignore the problem as it relates to smaller retailers, Humphreys argues, but rather to conduct a risk assessment of all retail locations. “Banks know how to conduct risk assessment; they do it all the time,” he says.
In this case, however, rather than looking at a lot of financial numbers, banks need to examine their retail customers to see which pose the greatest security risks. Humphreys explains that online retailers would most likely be viewed as riskier than brick-and-mortar retailers because all their transactions move across public networks and many keep a lot of customer credit card account numbers on file to facilitate repeat sales. Other factors to consider in risk management are what types of point-of-sale equipment, back-end computer and software systems each retailer uses and how secure each is. Lastly, the type of business and transaction volume of each retailer needs to be factored in.
Once an acquirer has evaluated the risk associated with each merchant, it can decide which ones justify installing costly security systems and which ones the acquirer is willing to risk won’t cause any costly incidents.