(Page 3 of 4)
Another problem that retailers face in trying to achieve compliance with Visa and MasterCard mandates is that the two programs have some significant differences in their requirements and that means a retailer to be certified twice-once for each program. “CISP seems to be more comprehensive while SDP requires quarterly reviews,” explains CyberSource’s Hengels.
Patanella notes that online retailers are also affected more by the MasterCard standards than Visa in that SDP is almost entirely devoted to e-commerce where Visa is applying the same rules to both online and brick-and-mortar retailers.
Visa and MasterCard recognize that having differing requirements places a burden on retailers-especially since both association programs are trying to accomplish the same thing. So the two competitors are working to simplify that aspect of compliance. “We’ve been working with MasterCard since October,” says Shaughnessey. “The goal is to get to the point where a retailer or processor can be validated for both programs at the same time.”
“I’ve been told to expect an announcement that Visa and MasterCard have agreed upon some joint requirements within 60 days,” says one industry expert.
Currently, American Express and Discover do not have similar programs, but many industry experts expect they will become involved at some point. Patanella says both Discover and AmEx have been working on similar standards and he expects announcements from both companies shortly. “To date, AmEx has more or less just accepted Visa’s requirements,” he says.
Don’t rely on firewalls alone
One interesting aspect of both programs, however, is the recognition that firewalls are not sufficient to protect stored data. “Firewalls are just one element of security,” says Visa’s Shaughnessey. “You have to either encrypt the data or find someway to render it useless if it falls into the wrong hands.”
One of the problems with firewalls is that they don’t prevent inside jobs, where employees of the retailer or processor illegally gain access to the information for personal gain. According to some industry estimates, more than half of attacks on secure data bases occur inside the firewalls. CISP and SDP set limitations on who has access to customer information and how even authorized personnel need to identify themselves. But even more important is the fact that even if an insider gains illicit access to customer files, the information he or she obtains will be encrypted and no employee will have all the keys necessary to decrypt that information.
“If I’m a retailer, I don’t want my database administrator to even be tempted to break into those files,” says Karim Taubba, vice president of marketing for Ingrian Networks, a Redwood City, Calif.-based technology firm that has products that helps retailers, processors and banks to get into compliance with CISP and SDP. “If the proper encryption has taken place, they won’t even try.”
Much of the attention retailers need to focus on is in the back-office operations rather than on their Internet server side. Patanella says most retailers have been vigilant about protecting data that is being stored on Internet servers and being transmitted over Internet networks. However, many of these same retailers will transfer customer data once the sale is complete to be stored on a back-end system that does not have the same security measures as the Internet server. “Historically, these back-end systems have posed the greatest security threats,” says Patanella. “Retailers are protecting their data only to a point. Then they are sending the data to a system that is not protected.”
And while CISP and SDP are focused on securing credit card data, the programs are getting retailers to look more closely at how they protect other customer data as well. “CISP and SDP are putting data security in the spotlight,” says Taubba. “Several customers have come to us for help to get compliant with these mandates and while they’re at it, they start looking at what other sensitive data they might have in their files they want to protect. Some retailers are concerned, for example, about having their e-mail customer lists stolen and they’re looking to encrypt that information.”
In the end, the goal is tighter security of customer data all around. “We’re trying to create a culture of security,” says Visa’s Shaughnessey.
Lauri Giesen is a Libertyville, IL-based freelance business writer.
Security is a card issuer-and cardholder-responsibility
While Visa and MasterCard watch closely to make sure at least the largest online retailers are compliant with their respective Cardholder Information Security Program and Site Data Protection programs, the two associations are keeping a close eye on other programs related to Internet security.
Both Verified by Visa and MasterCard’s SecureCode are efforts to spur online shopping by giving consumers a greater sense of security when typing in their credit card numbers online. And both are experiencing solid growth.
These programs require participation of both issuers of cards and retailers that sell goods over the Internet. Issuers then sign up their cardholders who are given passwords. When customers purchase goods at the sites that accept the cards, they are asked for their passwords. Only if the password typed in matches the one held in the card issuer’s files does the sale go through.
Visa reports that 9,000 card issuers worldwide currently offer their customers this program, making it available to 250 million card holders. The program also is used by 17,000 retailers. Among large retailers recently announcing their participation in Verified by Visa are CompUSA, a seller of personal computer products; JetBlue Airways; Digital River, an outsourcing provider, and 2Checkout.com, an online provider of products for businesses.
Meanwhile, MasterCard reports its SecureCode program has attracted 25,000 merchants worldwide-14,000 of which were added in one week in early July. More than 2,700 card issuers worldwide participate in SecureCode program.
Visa attributes much of its recent overall online sales gain to the security provided by Verified by Visa. Visa recently reported that online spending on Visa-branded credit and debit cards in the first quarter of this year rose to $22.3 billion, a 59% gain over the first quarter of 2003.