News
News
7/15/2005
05:30 PM
50%
50%

Crunch Time For Payment Processors

Transaction-service companies hustle to comply with security standards

Credit- and debit-card transaction-processing companies have been scrambling to meet stringent security standards laid down by American Express, Discover, MasterCard, and Visa. After the security breach disclosed last month at CardSystems Solutions Inc., which exposed more than 40 million accounts, the major card companies are being challenged to ensure that transaction processors not only get into compliance but stay there.

Cynergy constantly ensures against data compromise, CIO Ordonez says.

Cynergy constantly ensures against data compromise, CIO Ordonez says.
"After what happened with CardSystems, they're going to come out with new ways of auditing companies," says Andres Ordonez, CIO of Cynergy Data, which processes about 4.5 million transactions a month for 27,000 merchants. Cynergy's compliance effort cost $50,000, including external auditing fees and installing intrusion-detection and network-monitoring systems.

Compliance isn't just about passing annual audits. "It's what happens between the audits that counts," Ordonez says. "We store millions of card numbers, so we need to constantly ensure against compromising that data."

As of June 30, any entity that stores, processes, or transmits cardholder data had to comply with the Payment Card Industry Data Security standards, which require access-control measures, regular network monitoring and testing, and an information-security policy. Annual security audits and quarterly network scans also are required.

Just how many transaction-processing companies are compliant with the Payment Card Industry requirements isn't clear. Visa has published a list of about 150 compliant services providers, which it says represent most major payment processors. But Ordonez says there are hundreds of smaller processors for whom compliance costs could cause many to fold.

Companies that experience breaches and are found not to be in compliance face stiff penalties. Banks are responsible for ensuring compliance of the service providers they use and their merchant's service providers. Visa can fine banks up to $500,000 per incident for any merchant or service provider that's compromised and not compliant.

Visa and MasterCard have had security programs in place for several years, but enforcement was sometimes left to others. About two years ago, Princeton eCom Corp., which provides electronic bill-payment services for banks and other companies, was told by First Data Corp., a card payment processor, that it had to comply with Visa's program as a condition for building a link to First Data's systems. First Data was a processor for one of Princeton eCom's customers, says Jennifer Roth, product management VP at Princeton eCom.

Princeton eCom had built a link with another card processor, Paymentech LP, but Paymentech "hadn't brought it up as an issue," Roth says. Princeton eCom hired AmbironTrustWave, an information security auditing firm, to assess its program, and it received its compliance documentation late last year.

CardSystems has hired AmbironTrustWave to assess its Payment Card Industry compliance and says it plans to comply with Visa's and MasterCard's programs, both of which incorporate the group's standards, by Aug. 31. CardSystems had been verified as compliant with the Visa program in June 2004 but was later declared out of compliance when it was discovered that it was inappropriately storing cardholder data.

VeriFone Holdings Inc., a provider of payment terminals and software, began adapting its products to meet the Visa guidelines in 2003. Last year, it acquired the assets of GO Software, including its payment-processing software, and VeriFone had to devote six months of development and testing, including adding 128-bit encryption, to make those products compliant. During that work, Marco Mabante, VP of compliance and integration, says, "product development was at a standstill."

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.