As Congress considers legislation to protect customer accounts, card issuers toughen their own data-security requirements
As a wave of identity-theft and data-privacy legislation makes its way through Congress, credit-card companies and retailers are scrambling to come up with ways to avoid a repeat of the fiascos earlier this year that placed millions of accounts at risk. The bills would create a national security-breach notification policy, replacing numerous state laws, and would impose stiff fines for violations.
The card companies would prefer to address the issue themselves, rather than have the government do it for them. American Express, Discover, MasterCard, and Visa have formulated data-security requirements for retailers and payment processors to ensure that transaction information doesn't fall into the wrong hands. Merchants are forbidden to store the full contents of the magnetic stripes on cards and the card-validation number printed on the back. They may store only those portions of customer-account information deemed essential for business, such as name, account number, and expiration date. And they must purge all media containing obsolete transaction data with cardholder information.
In a speech last month, John Coghlan, Visa USA's president and CEO, proposed creating an entity to manage data-security issues for the card industry. It would report on emerging risk and fraud issues, as well as promote, validate, and strengthen data-security compliance. Visa is increasing its own anti-fraud spending by $200 million over the next four years, Coghlan added.
MasterCard and Visa have created four levels of merchants based on transaction volume. Level-one merchants, those that process more than 6 million total card transactions a year, are required to validate compliance through an annual on-site security assessment performed by a third party. Level-two merchants, those processing between 150,000 and 6 million online transactions per year, and level-three merchants, those processing between 20,000 and 150,000 online transactions annually, are required to conduct an annual self-assessment questionnaire. Level-four merchants, those processing fewer than 20,000 online transactions annually, are strongly encouraged to conduct the self-assessment questionnaire.
The Visa and MasterCard rules stipulate that banks can be fined as much as $500,000 per incident for security breaches occurring at a merchant or service provider with which they have a relationship. Merchants in general don't connect to the Visa and MasterCard networks directly; instead, they contract with service providers or their banks to connect to the networks. American Express holds merchants that fail to report a security compromise responsible for all fraudulent transactions, plus all costs Amex incurs as a result of resolving any illegal activity.
Merchants doing business with Visa and MasterCard are alarmed about the possibility that their banks could pass along to them fines levied by the card companies. They're also concerned about a clause that automatically reclassifies any merchant that suffers a security breach as a level-one merchant, holding them to the requirements that come along with that classification.
Camp Snoopy VP Chris Lake-Smith worries about the cost of complying with card-company mandates.
"The risk of being automatically reclassified as level one, as well as the prospect of fines levied by banks, is cause for concern," says Chris Lake-Smith, VP of information systems at Camp Snoopy, a 7-acre indoor theme park located at the Mall of America in suburban Minneapolis.
While only a level-four merchant, Camp Snoopy has a complex IT infrastructure that includes three separate point-of-sale systems: one for rides and attractions, one for food and beverage, and one for merchandise. Each system must be validated for compliance with the card companies' data-security requirements. Among the main tasks is ensuring that all cardholder information is encrypted. "I fear that the cost of compliance is going to be high, even as a level-four merchant," Lake-Smith says.
Camp Snoopy has a good deal of work ahead to achieve compliance. For example, it bought the system it uses for rides and attractions from a company that went defunct a few years after the park opened in 1992. Since then, Camp Snoopy has had to contract with one of the former company's lead programmers for support.
The food-and-beverage system is InfoGenesis Corp.'s Revelation, which Camp Snoopy purchased in 2000. It also bought the latest terminals from IBM. As InfoGenesis introduced later versions of Revelation that required newer terminals, Camp Snoopy was forced to stick with the earlier version. "The machines that were top-of-the-line in 2000 didn't have the horsepower for the later versions of Revelation," Lake-Smith says.
Camp Snoopy is in the process of updating those systems to bring them into compliance. In addition, Camp Snoopy runs monthly network-vulnerability scans and annual penetration tests, has placed all applications behind the firewall, and encrypts all data.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.