Common Ground

Compliant Certification and Status
by Gregory C. Cohen

   With the continuous flow of New Technology ... New Products ... New Companies ... What a changing world the acquiring business has become. But, in the race for Acquirers and Value Added Resellers/partners to develop proprietary products and technology there are new issues driven by the need for increased security, disclosure and data integrity.
   With many known instances of card theft through breaches at ISOs and Value Added Resellers (VARs) over the past few years, both Associations have developed new security policies and procedures to limit access and create new standards of security. Visa has developed its Cardholder Information Security Program (CISP) and MasterCard created its Sight Data Protection (SDP) program.
   While these programs were originally developed to secure cardholder data, other industry changing policies have resulted; and, in order to comply, many Acquirers and VARs will have to undergo costly and lengthy audits and certifications. In addition, the Associations and Member Institutions are re-examining the registrations of many of their Agents (including ISOs), and will be forcing Agents to register under new classifications such as those required of processors. As the market and technology drive merchant acquirers, other forces may cause industry players to reexamine directions, partners and business strategies.
   With the new CISP and SDP programs, any organization with access to cardholder information must undergo a third party audit by an Association-approved vendor. Though the definition of "access" is somewhat grey and open to the interpretation of the Sponsoring Member, any ISO with access to full cardholder data through authorization files, risk systems, reporting tools, etc., may be subject to the necessary audits. This also includes any organization passing transactions such as VARs or ISOs with proprietary products.
   The CISP and/or SDP audit is a much-needed direction for our industry. In the past, virtually any developer could certify to a processor and start running payment transactions. These new Association driven programs have created barriers to entry and are forcing ISOs and VARs to maintain a much greater level of security.
   The costs of these certifications and compliance can be in the tens to hundreds of thousands of dollars depending on the size of the organization, the use of the data and systems, and how much extra work is necessary to reach compliant standards. Before you go out and build your own product or partner with an organization, make sure you and/or they are either prepared to take or have already taken the necessary steps to be compliant today and into the future. Be ready to invest time and money to reach and maintain the compliance standards of your Member Institution and the Associations. Remember, as the Acquirer you are responsible for your transactions, a breach at one of your partners results in your losses and fines.
   As the Associations gathered data regarding security, both they and their Member Institutions realized that many organizations were not registered properly. Though Visa and MasterCard's definitions are slightly different, they require any organization that performs:

  • Transaction processing including gateway services or switching,
  • Data capture,
  • Terminal driving or loading/programming,
  • Injecting encryption keys,
  • or "other administrative functions" such as risk or customer/terminal service,

   be registered as a Third-Party Servicer (Visa), a Third Party Processor (MasterCard), and/or an Encryption and Support Organization (Visa). For many ISOs, this will mean additional registrations, costs and potentially greater oversight and underwriting criteria by their Member Institutions. For the VAR, the process is potentially more ominous, as the Member Intuition is responsible for all acquiring activity in its BINs, they are also responsible for how the transactions get there. It is possible that in the future, VARs may have to register and/or certify with each and every Member Institution for which they run transactions. For certain VARs, this could mean hundreds of registrations and even though the cost may be minimal as the Associations allow for one primary registration, the thought of maintaining up-to-date registrations with all Member Banks will be a paperwork, certification and resource nightmare.
   Yes, technology is driving our industry as you have read throughout this issue, but other stakeholders (the Associations and Member Institutions) are making sure that only reputable and highly secure providers are driving these technologies. The impact that these players will have on our industry will be tremendous and it is in everyone's best interest, from the Merchant Level Sales Person, to the ISO, VAR, Processor, etc. to be aware of their impact and work in conjunction with the new, secure and reputable direction of our industry. When you are deciding to build, buy or partner make sure those decisions are made with a clear understanding of compliance. The future is bright for our industry and technology will no doubt drive the growth; but it will be only those players that drive these new technologies within the playing field and abide by the rules that will see the next round of the game.