How Much Is Enough? - InformationWeek
05:54 PM

How Much Is Enough?

As Congress considers legislation to protect customer accounts, card issuers toughen their own data-security requirements

As a wave of identity-theft and data-privacy legislation makes its way through Congress, credit-card companies and retailers are scrambling to come up with ways to avoid a repeat of the fiascos earlier this year that placed millions of accounts at risk. The bills would create a national security-breach notification policy, replacing numerous state laws, and would impose stiff fines for violations.

The card companies would prefer to address the issue themselves, rather than have the government do it for them. American Express, Discover, MasterCard, and Visa have formulated data-security requirements for retailers and payment processors to ensure that transaction information doesn't fall into the wrong hands. Merchants are forbidden to store the full contents of the magnetic stripes on cards and the card-validation number printed on the back. They may store only those portions of customer-account information deemed essential for business, such as name, account number, and expiration date. And they must purge all media containing obsolete transaction data with cardholder information.

In a speech last month, John Coghlan, Visa USA's president and CEO, proposed creating an entity to manage data-security issues for the card industry. It would report on emerging risk and fraud issues, as well as promote, validate, and strengthen data-security compliance. Visa is increasing its own anti-fraud spending by $200 million over the next four years, Coghlan added.

Security Assessments
MasterCard and Visa have created four levels of merchants based on transaction volume. Level-one merchants, those that process more than 6 million total card transactions a year, are required to validate compliance through an annual on-site security assessment performed by a third party. Level-two merchants, those processing between 150,000 and 6 million online transactions per year, and level-three merchants, those processing between 20,000 and 150,000 online transactions annually, are required to conduct an annual self-assessment questionnaire. Level-four merchants, those processing fewer than 20,000 online transactions annually, are strongly encouraged to conduct the self-assessment questionnaire.

The Visa and MasterCard rules stipulate that banks can be fined as much as $500,000 per incident for security breaches occurring at a merchant or service provider with which they have a relationship. Merchants in general don't connect to the Visa and MasterCard networks directly; instead, they contract with service providers or their banks to connect to the networks. American Express holds merchants that fail to report a security compromise responsible for all fraudulent transactions, plus all costs Amex incurs as a result of resolving any illegal activity.

Merchants doing business with Visa and MasterCard are alarmed about the possibility that their banks could pass along to them fines levied by the card companies. They're also concerned about a clause that automatically reclassifies any merchant that suffers a security breach as a level-one merchant, holding them to the requirements that come along with that classification.

Camp Snoopy VP Chris Lake-Smith worries about the cost of complying with card-company mandates.

Camp Snoopy VP Chris Lake-Smith worries about the cost of complying with card-company mandates.

"The risk of being automatically reclassified as level one, as well as the prospect of fines levied by banks, is cause for concern," says Chris Lake-Smith, VP of information systems at Camp Snoopy, a 7-acre indoor theme park located at the Mall of America in suburban Minneapolis.

Compliance Complexity
While only a level-four merchant, Camp Snoopy has a complex IT infrastructure that includes three separate point-of-sale systems: one for rides and attractions, one for food and beverage, and one for merchandise. Each system must be validated for compliance with the card companies' data-security requirements. Among the main tasks is ensuring that all cardholder information is encrypted. "I fear that the cost of compliance is going to be high, even as a level-four merchant," Lake-Smith says.

Camp Snoopy has a good deal of work ahead to achieve compliance. For example, it bought the system it uses for rides and attractions from a company that went defunct a few years after the park opened in 1992. Since then, Camp Snoopy has had to contract with one of the former company's lead programmers for support.

The food-and-beverage system is InfoGenesis Corp.'s Revelation, which Camp Snoopy purchased in 2000. It also bought the latest terminals from IBM. As InfoGenesis introduced later versions of Revelation that required newer terminals, Camp Snoopy was forced to stick with the earlier version. "The machines that were top-of-the-line in 2000 didn't have the horsepower for the later versions of Revelation," Lake-Smith says.

Camp Snoopy is in the process of updating those systems to bring them into compliance. In addition, Camp Snoopy runs monthly network-vulnerability scans and annual penetration tests, has placed all applications behind the firewall, and encrypts all data.

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll