Keep It Safe
Retailers are coming around to the card companies` security programs
By Linda Punch
Concerns about protecting confidential customer data are as old as e-commerce itself. Way back in 1999 a hacker stole credit card numbers from CDUniverse.com and generated a lot of publicity when he posted the numbers on a web site after failing to extort ransom from CDUniverse`s parent. Ever since, polls have shown that a significant number of consumers won`t shop online because they fear their credit card number being stolen.
And retailers don`t expect the situation to get any better. In fact, 49% of retailers in a survey by payments processor CyberSource Corp. expect online payment fraud to increase this year, while 44% expect it to remain the same. A mere 7% say it will decline.
Two programs
In response, MasterCard and Visa over the past few years have developed security programs designed not only to reduce fraud but also to boost cardholder confidence. So far, they`re having varying degrees of success.
For starters, they developed cardholder authentication programs to protect cardholder data in transmission. These programs--Verified by Visa and MasterCard SecureCode--require cardholders to enter a password when making a credit card purchase online. Both associations say they are seeing increased participation in these programs by merchants and card issuers. However, those participants still represent only a fraction of the Visa and MasterCard merchant and issuer bases.
Meanwhile, Visa and MasterCard are rolling out programs for protecting confidential data on merchants` web sites. Both report that online merchants are meeting mandated deadlines for implementing the security standards--MasterCard`s Site Data Protection and Visa`s Cardholder Information Security Program--although they are won`t report specific numbers.
Meeting the deadlines
The standards apply to any entity that stores or transmits payments.
MasterCard set two compliance dates for implementation--June 2004 and June 2005--while Visa mandated compliance by Sept. 30, 2004, and March 31, 2005. For both associations, the largest merchants, those that process more than 6 million transactions annually, faced the first deadline. Merchants that suffered a hack or an attack that resulted in an account data compromise also fell into this category.
The second level includes e-commerce merchants processing 150,000 to 6 million transactions per year. E-commerce merchants processing 20,000 to 150,000 transactions fall into the third level, and all other merchants, regardless of acceptance channel, fall into level four.
The requirements for data security protection vary depending upon which level the retailer falls under. Those requirements range from an annual on-site security audit and quarterly network scan for level one to a recommended self-assessment questionnaire and recommended annual network scan for the fourth level.
Overwhelmingly embraced
The requirements for validating compliance also differ, with level one required to submit to an audit by an independent security assessor or an internal audit signed by an officer of the company. Compliance must also be validated by a qualified independent scan vendor. At the lowest level, the merchant itself validates compliance. Validation by a qualified independent scan vendor is optional.
For the largest e-merchants, "it`s fair to say that they are either in compliance or there`s a specific plan in place to achieve that," says Thomas Maxwell, director of advanced payments at MasterCard.
Adds John Shaughnessey, senior vice president of fraud prevention at Visa: "With a very few exceptions, it`s been overwhelmingly embraced. We`re really encouraged."
Compliance has been helped in part by the development by Visa and MasterCard of an integrated standard for data protection--the Payment Card Industry Data Security Standard. Under PCI, if a merchant is in compliance with one association`s standard it is automatically in compliance with the other`s. American Express, Discover, Diners Club and JCB also endorse the standard.
That makes it easier and less costly for e-merchants to comply. "To have one standard to comply with, with one set of compliance dates, makes everybody`s life simpler, including ours," says Chris Noel, vice president of business development at Solutionary Inc., an Internet security technology firm.
While PCI is the underlying data security standard for both programs, both associations will keep their proprietary programs. That`s because Visa and MasterCard administer the programs differently.
Changing minds
To be sure, it hasn`t always been easy to persuade merchants to implement the standards even though they are mandatory. "There`s a minority out there saying Visa has no way of enforcing this obligation on them, that they`re not going to be dragged along against their will," Noel says. "In each case where I`ve seen the merchant take that stance, he ends up eventually changing his mind" after Solutionary discusses the need for data protection.
"Cybercrime is the third priority on the FBI`s list after counterterrorism and counterespionage," Noel says. "That would suggest it`s important. If you look at the fact that identity theft is the fastest growing crime in America, that would say it`s important." 95% of the merchants Solutionary works with are moving forward with adopting the standards, Noel says. About 80% of Solutionary`s 200 customers have a web presence.
Educating merchants about the need for data protection also helped Wells Fargo & Co. bring its merchants into compliance. Its 40,000 online merchants, including eBay, are fully compliant with Visa`s CISP rules, says Debra Rossi, executive vice president of merchant payment solutions. "Merchants want to do everything they can to be protected against fraud," she says. "Most of them understand the liability."
Wells Fargo`s next step will be to bring its brick-and-mortar merchants into compliance, Rossi says. She notes that cardholder information held by stores may be more vulnerable to fraud than that held by e-retailers.
The key
The merchant banks hold the key to ensuring retailer compliance, says Mike Pettiti, senior vice president of marketing at data security company Ambiron. "You`re really going to see adoption among the merchants when the acquirers begin to drive the data security policies and best practices down to the merchant level," he says.
Frequent reports of database breaches are making it easier to convince online merchants of the need of data protection, observers say. Since the beginning of the year, there have been data breaches involving at least four well-known companies--data brokers Choicepoint Inc. and LexisNexis and retailers Polo Ralph Lauren Corp. and DSW Shoe Warehouse. "There is a growing understanding of the absolute necessity to protect this data," Shaughnessey says.
And there`s more at stake than a fine from an association. "I wouldn`t want to be a merchant issuing a press release saying, `I`m sorry, your data is compromised and here`s an 800 number for you to report any fraudulent transactions,`" Noel says. "It can`t help for you to be in a position where you`ve not protected the most precious asset your customers entrusted you with--their financial information."
Although there are penalties for missing the deadlines, MasterCard and Visa are showing leniency towards non-compliant merchants. That`s because there are often legitimate reasons merchants can`t meet the requirements by compliance dates, for example, a merger or system changes, Maxwell says. "There are always going to be mitigating circumstances, which is why we are actively managing and ensuring that we understand the status on the merchant level," he says. "We can recognize a reasonable effort."
Visa, too, will work directly with merchants in conjunction with the financial institutions that sponsored them into the Visa network, Shaughnessey says.
The progress made in merchant adoption of security standards has left the associations optimistic that database breaches will be fewer and far between. "In the incidents we`ve seen, had the retailers been compliant with PCI or CISP, it`s likely they wouldn`t have been hacked," Shaughnessey says. "So we think there`s a lot of strength and wisdom in the requirements and they`ve been pretty well thought out."
While the data protection programs are moving forward, the cardholder authentication programs of the two associations--Verified by Visa and MasterCard SecureCode--are finding less success.
At MasterCard, merchant participants have increased to more than 50,888 merchants, compared to 9,000 a year ago, Maxwell says. It has 11.3 million cardholders worldwide enrolled in the program. MasterCard has a merchant base of about 23 million and a cardholder base of 679.5 million.
At Visa, 56,000 merchants have enrolled in Verified by Visa as have 4 million cardholders, says Mike Yakel, vice president for risk product development. At merchant sites that support Verified by Visa, 38% of transactions are authenticated, he says.
In spite of those seemingly large numbers, the merchant cardholder bases are only fractions of all cardholders and merchants. In fact, some critics note that the cardholder number may not be accurate in that it represents card accounts automatically enrolled, meaning the cardholder did nothing to enroll and probably doesn`t even know that he`s a participant.
Another step
The associations have had a tough time persuading e-merchants to adopt the authentication codes. They argue that consumers worried about fraud would be more likely to shop online if they knew their credit card numbers are protected. And the codes should cut fraud losses due to unauthorized use of account numbers, they say.
But the authentication programs have fallen victim to the chicken-and-the-egg syndrome: card issuers see no need to promote the program to their cardholders because there are too few merchants participating. And merchants see no need to sign up when there are few cardholders using it.
In addition, retailers believe that any step added between the time a customer selects a product and completes the purchase will increase the abandonment rate, an e-merchant`s greatest fear.
"The original problem with Verified by Visa was that because of the work it imposed on the consumer, it was depressing response by as much as 40%," says Tim Litle, chairman of Litle & Co. Litle processes for 150 online merchants.
And while Visa streamlined the process, Litle says the merchants he deals with aren`t demanding Verified by Visa. "We`ve certainly laid out the alternatives to merchants but they`re more worried about depressing response," even if it`s by as little as 1%, he says.
Incentives, such as Visa`s offer of zero liability and a 5-basis-point reduction in the interchange rate for merchants using Verified by Visa, have not overcome those fears, Litle say.
The associations acknowledge that the authentication codes are still a hard sell to merchants. "There are still some retailers who, when they fully understand the value of the chargeback benefits and the interchange, say there`s not sufficient value to deploy the service," Yakel says.
linda@verticalwebmedia.com
Click Here for the Guide to Payment Security Products and Services
