Lock It Up

Payment security has typically meant one thing to retailers and payments processors—protecting credit card or other payment data while it is being transmitted during a sale. A lot of time and money have been put into protecting credit card data while it is being passed around among the customer, the retailer, a payments processor and the bank that issued the card.

But not as much effort has been spent in protecting customer-related payments data stored in back-office computers by the retailers or their hired third-party processors. Outside of building a few firewalls, a lot of retailers don’t take the extra steps to protect customer files.

Huge numbers

The problem, however, is that a breach of security in this stored data can be much more devastating than the compromising of a single card, as some online retailers learned when their databases were hacked. A criminal who is able to capture one sale transaction and obtain the customer’s card number has one account to victimize. But a criminal who breaks into a retailer’s database and gets customers’ names and card numbers has hundreds—maybe even thousands—of potential victims.

“The numbers relating to fixing the damage once there has been a security violation are huge,” says Earle Humphreys, executive vice president of Solutionary, an Internet security technology firm. “It costs about $2 million per incident to repair the damage of a violation once you factor in the cost to the financial institutions to reissue cards to all the affected customers and the cost to the retailer to fix the problem. And that’s in addition to any actual fraud losses due to criminals making purchases with those card numbers.”

Card companies, retailers and processors have been well aware of the risk since the dawn of online retailing. Now, something is going to be done about the risk. Retailers have been put on notice by two security mandates from Visa and MasterCard—and both mandates require at least the largest retailers to prove they are security compliant by this fall. Visa’s Cardholder Information Security Program and MasterCard’s Site Data Protection require retailers, their third-party processors and anyone else who handles sensitive card data to meet specific requirements relating to the protection of payment data.

While these mandates relate to data both in transmission and in storage, it is the latter that is getting the most attention from retailers and processors. Most retailers already have been encrypting data that is sent over public networks. And most have built firewalls to protect stored data. But these requirements take the security of stored data to a higher level. And the mandates are getting retailers to take a second look at how they secure all customer data—even information that doesn’t relate to credit cards.

Starting to ramp up

While the new protection may be costly—especially to smaller retailers—many security experts believe these mandates will force retailers and payments processors to do a better job of protecting customer data. “There has been very little encryption of stored data until now,” says Avivah Litan, a consultant with Gartner Inc. “Less than 20% of such card information today is encrypted.”

With Visa’s deadline approaching for large retailers to prove compliance, many retailers are scrambling to meet the mandates. “Retailers have really started to ramp up during the last six months,” Litan says. “I was at a security conference in June with about 500 to 600 retailers and I asked how many were working on CISP and SDP and most of the hands went up.”

Visa first announced its CISP program in April 2000 and it is requiring that the largest retailers, those with more than 6 million Visa transactions annually, be able to prove their compliance by Sept. 30. The next tier of retailers, those with 500,000 to 6 million transactions, must be in compliance by March 31, 2005. Plans for smaller retailers’ compliance must be developed by the Visa members individually. Industry sources say, however, that Visa has given extensions to some large retailers if they have shown progress on the effort. Visa executives won’t confirm that any extensions were indeed given.

MasterCard’s SDP required its largest retailers to be compliant in June. Its mandates also relate to protecting the security of card information as it relates to fraud, customer privacy and customer safety.

A collaborative effort

Ultimately, the associations are holding their members—that is, the financial institutions that sponsor the retailers into the Visa and MasterCard network—responsible for making sure their retailers and processors are compliant. If not, Visa members could face fines up to $500,000 per incident when data security is breached. Still, the burden of actually developing and implementing a plan for compliance falls largely on the retailers and the processors that handle the data for the retailers.

“The onus for getting compliant is shared by the retailers, the processors and the acquirers,” says Angela Brown, executive vice president for client relations for Vital Processing Services, a Tempe, Ariz.-based processor of payment transactions that has been certified for compliance by both associations. “Getting an individual merchant to be in compliance usually is a collaborative effort.” Vital has been working on this effort for about two years, Brown says.

But even more parties than the retailer and its processor are affected by the mandates. “Anyone who touches, stores or transmits payment in any way is responsible for making sure they comply with this program,” says John Shaughnessey, senior vice president of fraud prevention for Visa. Among others that are affected are web hosting sites and security companies involved with credit card payments.

Humphreys says the task for large online retailers won’t be that different from what large offline merchants face. The big difference will occur for smaller online merchants. Because Visa is leaving it up to the acquirers to decide which measures the smaller players need to take—then hold the acquirers accountable if something goes wrong—these acquirers are likely to prioritize their merchants based on perceived risk. “Because online retailers send all transactions over the Internet and keep a lot of customer information on file, they’re likely to face a lot more scrutiny from the acquirers,” Humphreys says. “An online record store, for example, is going to face a ton more scrutiny than a regular record shop even if they have similar sales volume. They’re going to have a lot more questions to answer about their security measures and what they’re doing to keep hackers from getting in.”

Acquirers will be asking online retailers how they connect to the Internet, what type of servers they use and how they retain data. Retailers, in turn, should evaluate their processors’ security measures by asking to see their certification reports from Visa and MasterCard and asking about specific measures they have taken to ensure compliance.

Retailers should also ask their acquiring banks what they will need to do in the near future and who will bear the costs. And they should ask for recommendations on which technology companies to work with to ensure compliance.

Humphreys says small retailers may also get a group discount rate on services by going through the acquirer. “Most acquirers have not looked at the Tier 3 merchants yet and by trying to negotiate a plan now, retailers may find they are in a better negotiating stance at getting the acquirers to help share more of the cost than they will be able to negotiate later when the acquirer has its plans set in stone,” Humphreys says.

Many of the smaller retailers have also been the most lax in meeting accepted security measures to date. “Most of the largest retailers recognized years ago that the core of their business rests in their ability to protect customer information. Most of them have taken proactive steps from the beginning to protect this data. Some of the other retailers have not been as thoughtful and they now have to take a closer look at what they need to do,” says Joseph Patanella, president and COO of Annapolis, Md.-based TrustWave, a firm that provides technology to meet the Visa and MasterCard mandates and is also a certified assessor.

Early Changes

Visa has 12 general requirements (see chart) with 130 subrequirements that must be met. To prove they are in compliance, retailers and processors must be certified by an independent company approved by Visa for this program. Additionally, these requirements are expected to evolve as technology and e-commerce evolve. “Security is not an event; it is an on-going process,” says Shaughnessey. “Our requirements may change over time. If new vulnerabilities come to surface that we had not seen before, we are likely to add to the requirements.”

Industry experts say already there have been some changes in the rules to reflect emerging technology. “When Visa first came out with its specifications in 2002, it did not address wireless transmission of data because in 2002 there were not very many merchants that had wireless transactions. But this year, CISP addressed security related to wireless transmission of data,” says Jason Hengels, information security architect for CyberSource Corp. of Mountain View, Calif. CyberSource has been certified for compliance with both programs.

With their deadlines coming up soon, it has been the largest retailers who have been working the hardest to get into compliance. That is important to Visa because these retailers have the greatest number of transactions and therefore have the greatest number of customer accounts at risk.

But while Solutionary’s Humphreys says he has seen a “flurry” of activity from the Tier I and Tier II retailers, little has been done yet with retailers who have fewer than 500,000 annual card transactions. Solutionary is a certified security assessor for both Visa and MasterCard members.

The problem with getting the small retailers in compliance, he says, is that Visa is allowing the financial institutions to develop their own plans for compliance. And that has been complicated because there are so many mom-and-pop shops. “The problem is how to make sure all of them are in compliance,” Humphreys says. “And unlike the big retailers, most don’t have a technical person on staff to figure out a security plan. Many times, their acquirer will send them a report outlining security standards they need to comply with, but the report is quite technical and it is not written in simple English that a retailer could understand.”

Some financial institutions are sending technology companies to install security systems at all retail locations. Many of the retailers do not have point-of-sale terminals that can handle easy downloads of software so a technical expert may have to visit and install security measures at each retail location and that can be costly, Humphreys says. “Let’s say an acquirer bank was responsible for 150,000 retail locations. Even if they installed the rock bottom, lowest-price system, it would still cost at least $100 per merchant location to install,” Humphreys says. “That’s a minimum cost of $15 million.”

Risk management

The alternative for financial institutions is not to ignore the problem as it relates to smaller retailers, Humphreys argues, but rather to conduct a risk assessment of all retail locations. “Banks know how to conduct risk assessment; they do it all the time,” he says.

In this case, however, rather than looking at a lot of financial numbers, banks need to examine their retail customers to see which pose the greatest security risks. Humphreys explains that online retailers would most likely be viewed as riskier than brick-and-mortar retailers because all their transactions move across public networks and many keep a lot of customer credit card account numbers on file to facilitate repeat sales. Other factors to consider in risk management are what types of point-of-sale equipment, back-end computer and software systems each retailer uses and how secure each is. Lastly, the type of business and transaction volume of each retailer needs to be factored in.

IRCE 2008 Conference Multi-Media CD-ROM

Once an acquirer has evaluated the risk associated with each merchant, it can decide which ones justify installing costly security systems and which ones the acquirer is willing to risk won’t cause any costly incidents.

Another problem that retailers face in trying to achieve compliance with Visa and MasterCard mandates is that the two programs have some significant differences in their requirements and that means a retailer to be certified twice—once for each program. “CISP seems to be more comprehensive while SDP requires quarterly reviews,” explains CyberSource’s Hengels.

Patanella notes that online retailers are also affected more by the MasterCard standards than Visa in that SDP is almost entirely devoted to e-commerce where Visa is applying the same rules to both online and brick-and-mortar retailers.

Visa and MasterCard recognize that having differing requirements places a burden on retailers—especially since both association programs are trying to accomplish the same thing. So the two competitors are working to simplify that aspect of compliance. “We’ve been working with MasterCard since October,” says Shaughnessey. “The goal is to get to the point where a retailer or processor can be validated for both programs at the same time.”

“I’ve been told to expect an announcement that Visa and MasterCard have agreed upon some joint requirements within 60 days,” says one industry expert.

Currently, American Express and Discover do not have similar programs, but many industry experts expect they will become involved at some point. Patanella says both Discover and AmEx have been working on similar standards and he expects announcements from both companies shortly. “To date, AmEx has more or less just accepted Visa’s requirements,” he says.

Don’t rely on firewalls alone

One interesting aspect of both programs, however, is the recognition that firewalls are not sufficient to protect stored data. “Firewalls are just one element of security,” says Visa’s Shaughnessey. “You have to either encrypt the data or find someway to render it useless if it falls into the wrong hands.”

One of the problems with firewalls is that they don’t prevent inside jobs, where employees of the retailer or processor illegally gain access to the information for personal gain. According to some industry estimates, more than half of attacks on secure data bases occur inside the firewalls. CISP and SDP set limitations on who has access to customer information and how even authorized personnel need to identify themselves. But even more important is the fact that even if an insider gains illicit access to customer files, the information he or she obtains will be encrypted and no employee will have all the keys necessary to decrypt that information.

“If I’m a retailer, I don’t want my database administrator to even be tempted to break into those files,” says Karim Taubba, vice president of marketing for Ingrian Networks, a Redwood City, Calif.-based technology firm that has products that helps retailers, processors and banks to get into compliance with CISP and SDP. “If the proper encryption has taken place, they won’t even try.”

Much of the attention retailers need to focus on is in the back-office operations rather than on their Internet server side. Patanella says most retailers have been vigilant about protecting data that is being stored on Internet servers and being transmitted over Internet networks. However, many of these same retailers will transfer customer data once the sale is complete to be stored on a back-end system that does not have the same security measures as the Internet server. “Historically, these back-end systems have posed the greatest security threats,” says Patanella. “Retailers are protecting their data only to a point. Then they are sending the data to a system that is not protected.”

And while CISP and SDP are focused on securing credit card data, the programs are getting retailers to look more closely at how they protect other customer data as well. “CISP and SDP are putting data security in the spotlight,” says Taubba. “Several customers have come to us for help to get compliant with these mandates and while they’re at it, they start looking at what other sensitive data they might have in their files they want to protect. Some retailers are concerned, for example, about having their e-mail customer lists stolen and they’re looking to encrypt that information.”

In the end, the goal is tighter security of customer data all around. “We’re trying to create a culture of security,” says Visa’s Shaughnessey.

Lauri Giesen is a Libertyville, IL-based freelance business writer.

Security is a card issuer—and cardholder—responsibility

While Visa and MasterCard watch closely to make sure at least the largest online retailers are compliant with their respective Cardholder Information Security Program and Site Data Protection programs, the two associations are keeping a close eye on other programs related to Internet security.

Both Verified by Visa and MasterCard’s SecureCode are efforts to spur online shopping by giving consumers a greater sense of security when typing in their credit card numbers online. And both are experiencing solid growth.

These programs require participation of both issuers of cards and retailers that sell goods over the Internet. Issuers then sign up their cardholders who are given passwords. When customers purchase goods at the sites that accept the cards, they are asked for their passwords. Only if the password typed in matches the one held in the card issuer’s files does the sale go through.

Visa reports that 9,000 card issuers worldwide currently offer their customers this program, making it available to 250 million card holders. The program also is used by 17,000 retailers. Among large retailers recently announcing their participation in Verified by Visa are CompUSA, a seller of personal computer products; JetBlue Airways; Digital River, an outsourcing provider, and 2Checkout.com, an online provider of products for businesses.

Meanwhile, MasterCard reports its SecureCode program has attracted 25,000 merchants worldwide—14,000 of which were added in one week in early July. More than 2,700 card issuers worldwide participate in SecureCode program.

Visa attributes much of its recent overall online sales gain to the security provided by Verified by Visa. Visa recently reported that online spending on Visa-branded credit and debit cards in the first quarter of this year rose to $22.3 billion, a 59% gain over the first quarter of 2003.

Programs from both associations appear to have gained from widespread promotions sponsored by the two in recent months. Visa began in June a seven-month campaign in which it is utilizing major Internal portal, news and shopping sites to promote its service—including AOL, Yahoo, CNN, Disney, USAToday.com, NYTimes.com and Shopping.com.

Meanwhile, MasterCard has underway a major advertisement campaign targeted to both consumers and retailers that it is running in print advertisements such as People magazine, Sports Illustrated, Good Housekeeping and some trade magazines.

For retailers, benefits in participating in these programs include being able to protect themselves from fraud liability and lower their costs. Verified by Visa, for example, protects merchants from fraud-related chargebacks on transactions that occur through the program. Also, merchants get a five-basis-point discount on interchange fees for all Verified by Visa transactions.

Consumers appear to like the feeling of security they get from the added layer of protection. A survey conducted for Visa showed that 83% of respondents said they felt more secure while shopping online when presented with a payment card authentication option.

Some outside observers then are impressed with the early results. “Implementing programs like Verified by Visa greatly improves consumers’ perceptions of online merchants an increases the likelihood of repeat customers,” says James Van Dyke, analyst for Javelin Strategy & Research.

But some believe both programs have a way to go before widespread acceptance by both consumers and merchants.

“They’re not doing badly with this,” says Avivah Litan, analyst for Stamford, Conn.-based Gartner Inc. “But there is still some resistance on the merchant side. One of the biggest problems they still have is that the merchants who need them the most can’t always qualify. Verified by Visa won’t let in merchants with the highest fraud rates.”

Both Visa and MasterCard executives have said that the programs are only part of a good security system and that merchants need to implement security systems to get their fraud rates down first.

Click Here for the Guide to Payments Security Solutions