Crunch Time For Payment Processors - InformationWeek
05:30 PM
Building Security for the IoT
Nov 09, 2017
In this webcast, experts discuss the most effective approaches to securing Internet-enabled system ...Read More>>

Crunch Time For Payment Processors

Transaction-service companies hustle to comply with security standards

Credit- and debit-card transaction-processing companies have been scrambling to meet stringent security standards laid down by American Express, Discover, MasterCard, and Visa. After the security breach disclosed last month at CardSystems Solutions Inc., which exposed more than 40 million accounts, the major card companies are being challenged to ensure that transaction processors not only get into compliance but stay there.

Cynergy constantly ensures against data compromise, CIO Ordonez says.

Cynergy constantly ensures against data compromise, CIO Ordonez says.
"After what happened with CardSystems, they're going to come out with new ways of auditing companies," says Andres Ordonez, CIO of Cynergy Data, which processes about 4.5 million transactions a month for 27,000 merchants. Cynergy's compliance effort cost $50,000, including external auditing fees and installing intrusion-detection and network-monitoring systems.

Compliance isn't just about passing annual audits. "It's what happens between the audits that counts," Ordonez says. "We store millions of card numbers, so we need to constantly ensure against compromising that data."

As of June 30, any entity that stores, processes, or transmits cardholder data had to comply with the Payment Card Industry Data Security standards, which require access-control measures, regular network monitoring and testing, and an information-security policy. Annual security audits and quarterly network scans also are required.

Just how many transaction-processing companies are compliant with the Payment Card Industry requirements isn't clear. Visa has published a list of about 150 compliant services providers, which it says represent most major payment processors. But Ordonez says there are hundreds of smaller processors for whom compliance costs could cause many to fold.

Companies that experience breaches and are found not to be in compliance face stiff penalties. Banks are responsible for ensuring compliance of the service providers they use and their merchant's service providers. Visa can fine banks up to $500,000 per incident for any merchant or service provider that's compromised and not compliant.

Visa and MasterCard have had security programs in place for several years, but enforcement was sometimes left to others. About two years ago, Princeton eCom Corp., which provides electronic bill-payment services for banks and other companies, was told by First Data Corp., a card payment processor, that it had to comply with Visa's program as a condition for building a link to First Data's systems. First Data was a processor for one of Princeton eCom's customers, says Jennifer Roth, product management VP at Princeton eCom.

Princeton eCom had built a link with another card processor, Paymentech LP, but Paymentech "hadn't brought it up as an issue," Roth says. Princeton eCom hired AmbironTrustWave, an information security auditing firm, to assess its program, and it received its compliance documentation late last year.

CardSystems has hired AmbironTrustWave to assess its Payment Card Industry compliance and says it plans to comply with Visa's and MasterCard's programs, both of which incorporate the group's standards, by Aug. 31. CardSystems had been verified as compliant with the Visa program in June 2004 but was later declared out of compliance when it was discovered that it was inappropriately storing cardholder data.

VeriFone Holdings Inc., a provider of payment terminals and software, began adapting its products to meet the Visa guidelines in 2003. Last year, it acquired the assets of GO Software, including its payment-processing software, and VeriFone had to devote six months of development and testing, including adding 128-bit encryption, to make those products compliant. During that work, Marco Mabante, VP of compliance and integration, says, "product development was at a standstill."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll