There's been a flurry of activity in the Internet payment/data protection arena lately. Reports of major hackings here. Attempted patches there. Finger pointing all the way around. Data security mandates by Visa and MasterCard on top of it all. What's a merchant acquiring company to do?
Let's face it: neither the continued rise in the electronic storage of cardholder data, nor the card associations' responses to that, are going away any time soon. Both Visa and MasterCard have responded to the phenomenon by blasting us with a bevy of new, seemingly incomprehensible and complicated mandates. This article will summarize the requirements imposed on merchant acquirers by Visa and MasterCard.
First we'll explore Visa's mandate, a/k/a "CISP", or the Cardholder Information Security Program. Then we will delve into MasterCard's response, contained in a myriad of documents, but generically referred to below under the "Site Data Protection" mantle.
All processors, ISOs, third party servicers, or independent contractors with access to account or Visa transaction information must comply with Visa's Cardholder Information Security Program. CISP specifically applies to entities that store, handle and/or process cardholder data for members or for e-commerce merchants. A third party that provides a loyalty program or provides fraud control services must comply as well. Acquirers must include a CISP compliance provision in all contracts with merchants and non-member agents.
CISP is based on 12 basic security requirements, which include working firewalls, security patches, encryption, anti-virus software, restricting access to data, and implementing and maintaining an information security policy.
For service providers and "select" merchants (selected by Visa based on transaction volume and other considerations such as name recognition, level of risk, and reputation factors), compliance assessment and monitoring occur through annual on-site audits and reviews by a Visa qualified independent security assessor.
For merchants other than select merchants, compliance verification occurs through completion of an online self-assessment and periodic confidential vulnerability scans. Visa is currently developing an Automated Compliance Verification Program for merchants, which is due to be released in the first quarter of 2004. Merchant participation in the program will be required immediately upon release.
Failure to comply with the CISP requirements may result in fines, restrictions on the merchant or permanent prohibition of the merchant or service provider's participation in Visa programs. Although all merchants and service providers must comply with the 12 basic CISP requirements, compliance actions will be scaled to a level of risk that is based on the number of accounts stored or processed.
In 2002 MasterCard launched an optional Web site security program called the Site Data Protection ("SDP") Service to help combat the security threats associated with electronic commerce. In April 2003, MasterCard expanded the concept and released the "new" Site Data Protection Program, which includes 4 components: a security standard, security evaluation tools, optional compliance testing process for data security vendors, and acquirer registration of merchants and TPPs that store account data information.
In September 2003, MasterCard decided to require compliance with the SDP Program, on a tiered basis, in response to recent large-scale hacker attacks. In addition to e-commerce acquirers, merchants and TPPs, the SDP Program will also apply to all other entities that store MasterCard account data on behalf of merchants, such as web hosting providers and payment gateways. MasterCard calls those entities Data Storage Entities ("DSEs").
Acquirers that participate in e-commerce will be responsible for identifying merchants, TPPs and DSEs and for determining their compliance with the SDP Program. MasterCard strongly recommends SDP Program participation for all merchants, not only those specified in Tiers 1 and 2. To be compliant with the SDP Program, acquirers must:
- Submit to MasterCard by December 31 of the previous calendar year a list of all e-commerce merchants, TPPs and DSEs that must comply with the MasterCard Security Standard.
- Fulfill the network security scan requirement.
- Deploy an SDP security compliance program for their applicable e-commerce merchants, TPPs and DSEs.
- Obtain a self-assessment and network security scan for each e-commerce merchant, TPP and DSE.
- Annually register each e-commerce merchant and specify each associated TPP and DSE that stores data on the merchant's behalf.
Effective June 30, 2004, certain entities must implement the SDP Program, such as merchants and DSEs that have suffered a hack, all TPPs, DSEs, and large merchants. Effective June 30, 2005, small merchants and DSE's that store account data on behalf of smaller merchants must implement the SDP Program.
Account Data Compromises
In addition to the SDP Program, when an acquirer becomes aware of an account data compromise ("ADC") event or suspected event, MasterCard now requires the acquirer to conduct an investigation and provide the results to MasterCard. Within 24 hours the acquirer must notify MasterCard, provide a detailed written statement of fact about the ADC, and provide MasterCard with a list of all known compromised accounts. Within 72 hours, the acquirer must engage the services of a data security firm acceptable to MasterCard to assess the vulnerability of the compromised data and related systems.
MasterCard RAMP Review
MasterCard also has a data security program aimed at members and MSPs. In May 2002 MasterCard introduced the Risk Assessment Management Program ("RAMP"), a fraud reduction program.
RAMP includes three different levels of review. Level 1 review is mandatory for each applicant for a Principal MasterCard license. The review takes place during the initial licensing and certification stage. Level 2 review is optional and available upon request by all members. The Level 2 review is a consultation, involving an on-site visit culminating with the member receiving a detailed report and action plan.
A Level 3 review is required for all members and MSPs that MasterCard determines create a risk or operational burden to the system. During a Level 3 RAMP review, MasterCard will review merchant signing procedures, terminals, authorization services, merchant monitoring systems and procedures, and merchant education programs.
Following a RAMP review, a noncompliant member will receive a formal written report detailing the requirements that must be satisfied in order to achieve compliance. Noncompliance beyond the period of time specified may result in assessments each month until the member complies. Continued noncompliance may also result in revocation of the member's MasterCard license.
The Mega-Site Inspection
€In addition to the data security programs, the card associations have also attempted to nip problem merchants in the bud by beefing up merchant inspection requirements for e-commerce merchant acquisition and monitoring. Remember how every merchant was supposed to be site-inspected? This is like a site inspection requirement on steroids.
Effective October 1, 2003, before signing an e-commerce merchant, a Visa acquirer must:
- Obtain a detailed business description from the merchant;
- Examine the merchant's website to verify that the merchant is operating within the acquirer's jurisdiction;
- Ensure that the merchant is not engaged in any illegal activity or any activity that would cause harm to the Visa system or brand, or that is in violation of the Visa rules; and
- Retain copies of all relevant web site screens (either in paper copy or electronic form).
An acquirer that signs an internet payment service provider must ensure that each sponsored merchant website of the internet payment service provider is inspected.
For all existing e-commerce merchants and sponsored merchants, an acquirer must examine the website at least once each year, and retain copies of all relevant screens (either in paper copy or electronic form). This information must be kept on file by the acquirer and provided to Visa upon request.
Like Visa, MasterCard also amended its merchant screening programs. Recent changes to the MasterCard rules now require not only merchant site inspections, but general due diligence as well, including reviewing merchant records, merchant contracts, and merchant personnel, to ensure that the merchant can handle its stated business.
MasterCard acquirers are now required to institute a merchant fraud prevention program, comprising of merchant education, including periodic visits to merchants, distribution of related educational literature, and participation in merchant seminars.
Where Do You Go From Here?
All of this attention on data security and merchant review is a lot to digest, much less comply with. It begs the question: Will compliance with one card association's requirements satisfy the others? Visa, MasterCard, Discover and American Express representatives stated at the ETA meeting in September that they would not oppose standardizing such requirements, and I understand they are working toward that end. It would be welcome relief. In the meanwhile, all we can do is try our best to comply. And perhaps there is a silver lining to all of this regulatory activity. Ultimately, compliance may benefit you by preventing a costly hack of your system.