MasterCard International recently launched new security standards and a service designed to aid acquirers and merchants in protecting customers' credit card numbers.
The new program, the MasterCard Site Data Protection program, enables acquirers to roll out security compliance programs to merchants and service providers. Acquirers receive a full waiver from any MasterCard fines if it meets the card issuer's requirements. That's important for merchants, according to John Verdeschi, MasterCard Director of eBusiness and Emerging Technologies, because acquirers may elect to pass along any fines to merchants.
However, participation in the program and adherence to any of its guidelines is voluntary, Verdeschi added.
The SDP program expands on MasterCard's site protection program launched in the spring of 2002, Verdeschi said. The SDP program is more comprehensive. It includes security standards for vendors, merchants and service providers, as well as electronic commerce requirements and best practices for acquirers and electronic commerce security architecture best practices.
In order to participate, acquirers and their participating merchants and service providers must conduct a security self-assessment and scan their networks for security defects. The self-assessment includes 60 questions in six categories. There is a self-grading mechanism to provide immediate determination of the merchant compliance to the MasterCard standard.
The security scan is automated, non-intrusive and lasts an hour, according to Verdeschi. The scan analyzes the network from the outside-in, providing a visual map of how a hacker would view the Web site. The scan identifies risks using a database of more than 2,400 known vulnerabilities. The scan itself is continually updated as new threats emerge. Intelligent electronic reporting categorizes new risks discovered and recommends improvements.
Security is a constantly moving target as hackers develop new competencies, patches are developed to stop the new intrusions, hackers develop still more new competencies, new security tools are developed, etc., Verdeschi added.
Therefore, according to Verdeschi, acquirers will want to examine ongoing security monitoring tools, either through the MasterCard SDP program or through another vendor whose solutions are deemed SDP compliant.
MasterCard will charge up to $2,000 per year for security monitoring. According to Verdeschi, this is far less than what it would cost an online merchant in business and reputation if his site was compromised and a hacker obtained one or more valid credit card numbers.
MasterCard is providing proactive monitoring of industry security alerts and toolkits to fix known vulnerabilities, Verdeschi said.
MasterCard's SDP service provides a proactive solution designed to defend against "hack and attack," Verdeschi said. It provides a road map to better Web site security. It identifies system vulnerabilities and recommends improvements.
The technology behind the service was developed by Belgium-based Ubizen. The company is also making the following discounted programs for SDP participants:
- Firewall monitoring
- Incident response services
Marsh Insurance is another program partner. The insurance company is offering participants discounted Web insurance. The basic package includes coverage for liability, criminal activity and crisis management. Additional coverage is available for Web site failures, business losses, and reputation damage.
Internet fraud remains a growing problem. The Internet Fraud Complaint Center (IFCC) referred 48,252 fraud complaints to federal, state and/or local law enforcement authorities last year.
IFCC's 2002 annual report offers a recap of Internet crime hot spots by state, statistical information, and victim demographic data gleaned through complaints IFCC has received and referred through its on-line Web portal located at www.ifccfbi.gov from January 1, 2002 through December 31, 2002. In 2002, complaints filed with IFCC totaled 75,063.
California, New York, Florida, Texas, and Illinois were the top five states for victims of Internet crime. In cases where the perpetrator has been identified, nearly four in five were male and over half resided in the states of California, New York, Florida, Texas, Illinois, and Pennsylvania.
Automated enrollment in the program is available through www.mastercardintl.com/sdp.
Visa U.S.A. announced today that it will offer member banks an identity-theft insurance program for bank customers. Visa will charge banks a fee, but the banks must offer the program free to cardholders. The San Francisco-based card association did not release any pricing details. Under Visa's plan, participating cardholders could be reimbursed $1,000 to $15,000 for lost wages, legal fees and other costs arising from identity theft. Member banks that participate in the program will have the authority to decide how to market it and the amount of the insurance they will offer cardholders.