Credit-card companies are ramping up efforts to combat identity theft at all its sources. They have a huge stake in combating data leaks and identity theft, since plastic is the quickest way for thieves to get access to money or goods. Visa USA and MasterCard International Inc. have been working on making sure data security at brick-and-mortar merchants and credit-card processors is up to the standards they've set for online commerce.
Both companies want to ensure that merchants securely store credit-card and customer information. Visa's Cardholder Information Security Program, which began in April 2000 and was mandated in June 2001, requires that merchants and banks comply with a set of security standards, including using firewalls, conducting proper software patching, and restricting access to a need-to-know basis.
Merchants comply with Visa's security policy because of what's at stake, Shaughnessy says.
Merchants are largely cooperative with the program because of what's at stake, Shaughnessy says. They know that breaches and fraud anger customers, as well as hurt credit-card issuers and other merchants victimized by subsequent fraud after a breach. Data breaches that lead to fraud total 6 or 7 cents for every $100 in sales, Shaughnessy says. "When you look at our overall breach rate, it's pretty low," he says.
The first deadlines for demonstrating compliance with Visa's program come this September, when most larger merchants will have to document that they've met the requirements. Banks, which authorize merchants to accept Visa or MasterCard, face fines if any of their merchants can't provide validation. "Members are to work with the merchants to help them get the job done," Shaughnessy says. Visa has a roster of approved vendors that provide consulting to ensure compliance.
MasterCard has two primary programs to prevent customer-data breaches and credit-card fraud related to online transactions. One is a Web-site data-protection program that helps merchants and their banks protect against hackers and other electronic compromises by performing vulnerability scans to identify and plug holes in their security infrastructures. The program, which generally costs less than $2,000 a year, is mandatory for merchants and banks and is subject to a number of compliance conditions. The other is MasterCard's SecureCode, a software plug-in that merchants can add to their sites for use by their customers and the card issuer. At checkout, a pop-up box asks a customer to enter a personal identification code that is provided and verified by the card issuer, guaranteeing the transaction for the merchant. MasterCard also requires third-party vendors that might possess merchants' customer data to participate in breach-prevention education, says John Brady, VP of merchant fraud control.
If a breach occurs, MasterCard does everything it can to minimize the fraud and reduce the chances of having to reissue a card by bringing in a remediation contractor to assess the damage, Brady says. "Risk remediation is key for us. We go in with a professional third-party company, we look at the system to see what the vulnerability was, and everyone involved goes through the process with the info-security vendor to determine which risk-remediation option makes the most sense," he says.
Brady and Shaughnessy are well aware that breaches will occur despite the most ambitious efforts to prevent them. The key is reacting quickly. "We understand when one of these breaches happens," Brady says. "But if a security hole leads to the breach, the risk needs to be mediated quickly and effectively."
Avivah Litan, VP and research director of financial services at Gartner, says the credit-card industry's own research predicts triple-digit growth in compromises. "It's getting worse," she says. "Crooks are getting much more aggressive and sophisticated, and it's easy to breach the systems. Viruses, Trojan horses--there are all types of ways to get passwords and get into the system. Everyone is vulnerable." And there isn't an easy answer. Litan estimates that only 10% of companies encrypt credit-card data, but it's for a reason. "It's hard to encrypt data and then use it in an operational environment--its very resource intensive," she says.