Chad Ghosn joins the online furniture retailer from Expedia.
Retailers come around to card companies’ security programs
Concerns about protecting confidential customer data are as old as e-commerce itself. Way back in 1999 a hacker stole credit card numbers from CDUniverse.com and generated a lot of publicity when he posted the numbers on a web site after failing to extort ransom from CDUniverse`s parent. Ever since, polls have shown that a significant number of consumers won`t shop online because they fear their credit card number being stolen.
And retailers don`t expect the situation to get any better. In fact, 49% of retailers in a survey by payments processor CyberSource Corp. expect online payment fraud to increase this year, while 44% expect it to remain the same. A mere 7% say it will decline.
In response, MasterCard and Visa over the past few years have developed security programs designed not only to reduce fraud but also to boost cardholder confidence. So far, they`re having varying degrees of success.
For starters, they developed cardholder authentication programs to protect cardholder data in transmission. These programs--Verified by Visa and MasterCard SecureCode--require cardholders to enter a password when making a credit card purchase online. Both associations say they are seeing increased participation in these programs by merchants and card issuers. However, those participants still represent only a fraction of the Visa and MasterCard merchant and issuer bases.
Meanwhile, Visa and MasterCard are rolling out programs for protecting confidential data on merchants` web sites. Both report that online merchants are meeting mandated deadlines for implementing the security standards--MasterCard`s Site Data Protection and Visa`s Cardholder Information Security Program--although they are won`t report specific numbers.
Meeting the deadlines
The standards apply to any entity that stores or transmits payments.
MasterCard set two compliance dates for implementation--June 2004 and June 2005--while Visa mandated compliance by Sept. 30, 2004, and March 31, 2005. For both associations, the largest merchants, those that process more than 6 million transactions annually, faced the first deadline. Merchants that suffered a hack or an attack that resulted in an account data compromise also fell into this category.
The second level includes e-commerce merchants processing 150,000 to 6 million transactions per year. E-commerce merchants processing 20,000 to 150,000 transactions fall into the third level, and all other merchants, regardless of acceptance channel, fall into level four.
The requirements for data security protection vary depending upon which level the retailer falls under. Those requirements range from an annual on-site security audit and quarterly network scan for level one to a recommended self-assessment questionnaire and recommended annual network scan for the fourth level.
The requirements for validating compliance also differ, with level one required to submit to an audit by an independent security assessor or an internal audit signed by an officer of the company. Compliance must also be validated by a qualified independent scan vendor. At the lowest level, the merchant itself validates compliance. Validation by a qualified independent scan vendor is optional.
For the largest e-merchants, "it`s fair to say that they are either in compliance or there`s a specific plan in place to achieve that," says Thomas Maxwell, director of advanced payments at MasterCard.
Adds John Shaughnessey, senior vice president of fraud prevention at Visa: "With a very few exceptions, it`s been overwhelmingly embraced. We`re really encouraged."
Compliance has been helped in part by the development by Visa and MasterCard of an integrated standard for data protection--the Payment Card Industry Data Security Standard. Under PCI, if a merchant is in compliance with one association`s standard it is automatically in compliance with the other`s. American Express, Discover, Diners Club and JCB also endorse the standard.
That makes it easier and less costly for e-merchants to comply. "To have one standard to comply with, with one set of compliance dates, makes everybody`s life simpler, including ours," says Chris Noel, vice president of business development at Solutionary Inc., an Internet security technology firm.
While PCI is the underlying data security standard for both programs, both associations will keep their proprietary programs. That`s because Visa and MasterCard administer the programs differently.
To be sure, it hasn`t always been easy to persuade merchants to implement the standards even though they are mandatory. "There`s a minority out there saying Visa has no way of enforcing this obligation on them, that they`re not going to be dragged along against their will," Noel says. "In each case where I`ve seen the merchant take that stance, he ends up eventually changing his mind" after Solutionary discusses the need for data protection.
"Cybercrime is the third priority on the FBI`s list after counterterrorism and counterespionage," Noel says. "That would suggest it`s important. If you look at the fact that identity theft is the fastest growing crime in America, that would say it`s important." 95% of the merchants Solutionary works with are moving forward with adopting the standards, Noel says. About 80% of Solutionary`s 200 customers have a web presence.
Educating merchants about the need for data protection also helped Wells Fargo & Co. bring its merchants into compliance. Its 40,000 online merchants, including eBay, are fully compliant with Visa`s CISP rules, says Debra Rossi, executive vice president of merchant payment solutions. "Merchants want to do everything they can to be protected against fraud," she says. "Most of them understand the liability."
Wells Fargo`s next step will be to bring its brick-and-mortar merchants into compliance, Rossi says. She notes that cardholder information held by stores may be more vulnerable to fraud than that held by e-retailers.
The merchant banks hold the key to ensuring retailer compliance, says Mike Pettiti, senior vice president of marketing at data security company Ambiron. "You`re really going to see adoption among the merchants when the acquirers begin to drive the data security policies and best practices down to the merchant level," he says.
Frequent reports of database breaches are making it easier to convince online merchants of the need of data protection, observers say. Since the beginning of the year, there have been data breaches involving at least four well-known companies--data brokers Choicepoint Inc. and LexisNexis and retailers Polo Ralph Lauren Corp. and DSW Shoe Warehouse. "There is a growing understanding of the absolute necessity to protect this data," Shaughnessey says.