How Much Is Enough?

The question of who's responsible for securing cardholder information is complicated by the number of hops a transaction takes as it makes its way from the merchant, through the card networks, on to the cardholder's bank for authorization, and back to the merchant. As cardholder information is passed from one place to another, Lake-Smith says, there's a point where nobody is controlling it.

Clarification Sought
This question was raised at a recent transaction-security summit in Las Vegas hosted by Shift4 Corp., a provider of payment services. The summit brought together Visa, MasterCard, and American Express; security-assessment firms; point-of-sale system providers; and 100 merchants from all industries. At the summit, companies from the travel industry, which tend to outsource credit-card processing, complained about card companies' lack of clarity in determining responsibility in cases where they're in compliance with rules but their processors aren't. "It's up to [the card companies] to address industry-specific concerns," says Lake-Smith, who attended the summit.

The purpose of the event was to clarify the roles of the card companies and other constituents in the payment arena. Although the card companies are working toward defining a common set of requirements, small variations remain, says another attendee, Steve Parris, manager of application services at Swarovski North America, a purveyor of fine crystal.

For example, Parris isn't sure whether Swarovski North America is a level-two or level-three merchant. Some processors charge two fees: one at the time of authorization and another when funds are deposited into the merchant's bank account. "Is that two transactions or one?" he says.

Still, the summit was useful in clarifying what to look for in a processing system, Parris says. Swarovski is deciding whether to upgrade its Retail Pro system from Island Pacific Co. to meet the data-security requirements or switch to another system entirely. Among the system's criteria: Does it encrypt the data? Does it ensure that only data that's essential for business is stored? Does it ensure that the three-digit verification code on the back of the card isn't stored?

The breaches earlier this year at DSW Shoe Warehouse and Polo Ralph Lauren were the result of card-processing systems storing transaction data in violation of the rules, says Shift4's chief technology officer, J.D. Oder. As an operator of a payment "gateway," or switch that connects a retailer's point-of-sale system to the card networks, Shift4 adheres to strict security guidelines: It neither grants access to nor sells cardholder informa-tion; all credit-card numbers and expiration dates in its database are encrypted; and credit-card numbers are masked, showing only the first four and last four digits.

Weak Link
The key to preventing breaches is to "move card data out of the hands of merchants," Oder says. It was the storage of data, not its transmission, that tripped up DSW and Ralph Lauren, he says. Shift4 controls the flow of transaction information by assigning a token to each transaction, so if a merchant subsequently requires transaction details, it can request them by using the token.

Where the card companies are mostly to blame was in the CardSystems Solutions Inc. incident, in which 40 million payment records were exposed. The records consisted of transactions that hadn't been completed; the company was storing them for research purposes to determine why they weren't completed. The data was stored in readable form, in violation of Visa and MasterCard rules. CardSystems has since been acquired by Pay By Touch, another credit-card processor.

An audit revealed that unauthorized activity at CardSystems had started as early as April 2004-more than a year before it was revealed publicly by MasterCard. "CardSystems should have been held to a higher standard by the card associations, and they weren't," Oder says.

Whether the measures being implemented across the credit-card industry will be enough to prevent further breaches is yet to be determined. In the meantime, experts advise retailers to become fully compliant with the rules-in particular, to only store what's necessary and store it in an encrypted format.