Transaction-service companies hustle to comply with security standards
Credit- and debit-card transaction-processing companies have been scrambling to meet stringent security standards laid down by American Express, Discover, MasterCard, and Visa. After the security breach disclosed last month at CardSystems Solutions Inc., which exposed more than 40 million accounts, the major card companies are being challenged to ensure that transaction processors not only get into compliance but stay there.
Cynergy constantly ensures against data compromise, CIO Ordonez says.
"After what happened with CardSystems, they're going to come out with new ways of auditing companies," says Andres Ordonez, CIO of Cynergy Data, which processes about 4.5 million transactions a month for 27,000 merchants. Cynergy's compliance effort cost $50,000, including external auditing fees and installing intrusion-detection and network-monitoring systems.
Compliance isn't just about passing annual audits. "It's what happens between the audits that counts," Ordonez says. "We store millions of card numbers, so we need to constantly ensure against compromising that data."
As of June 30, any entity that stores, processes, or transmits cardholder data had to comply with the Payment Card Industry Data Security standards, which require access-control measures, regular network monitoring and testing, and an information-security policy. Annual security audits and quarterly network scans also are required.
Just how many transaction-processing companies are compliant with the Payment Card Industry requirements isn't clear. Visa has published a list of about 150 compliant services providers, which it says represent most major payment processors. But Ordonez says there are hundreds of smaller processors for whom compliance costs could cause many to fold.
Companies that experience breaches and are found not to be in compliance face stiff penalties. Banks are responsible for ensuring compliance of the service providers they use and their merchant's service providers. Visa can fine banks up to $500,000 per incident for any merchant or service provider that's compromised and not compliant.
Visa and MasterCard have had security programs in place for several years, but enforcement was sometimes left to others. About two years ago, Princeton eCom Corp., which provides electronic bill-payment services for banks and other companies, was told by First Data Corp., a card payment processor, that it had to comply with Visa's program as a condition for building a link to First Data's systems. First Data was a processor for one of Princeton eCom's customers, says Jennifer Roth, product management VP at Princeton eCom.
Princeton eCom had built a link with another card processor, Paymentech LP, but Paymentech "hadn't brought it up as an issue," Roth says. Princeton eCom hired AmbironTrustWave, an information security auditing firm, to assess its program, and it received its compliance documentation late last year.
CardSystems has hired AmbironTrustWave to assess its Payment Card Industry compliance and says it plans to comply with Visa's and MasterCard's programs, both of which incorporate the group's standards, by Aug. 31. CardSystems had been verified as compliant with the Visa program in June 2004 but was later declared out of compliance when it was discovered that it was inappropriately storing cardholder data.
VeriFone Holdings Inc., a provider of payment terminals and software, began adapting its products to meet the Visa guidelines in 2003. Last year, it acquired the assets of GO Software, including its payment-processing software, and VeriFone had to devote six months of development and testing, including adding 128-bit encryption, to make those products compliant. During that work, Marco Mabante, VP of compliance and integration, says, "product development was at a standstill."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.