ompliance. In the world of payments, there aren't too many other words as loaded as this one. It's one that sends shivers down the spines of banks, acquirers, merchants and ATM operators alike. First, it sounds like a lot of work-preparing for an audit, undergoing the assessment and repairing any vulnerabilities in a system's security chain.

Then it sounds expensive-determining if a system is secure, meeting compliance standards and potential fines for non-compliance.

But what exactly is it? An impossible goal? A pain in the neck?

In payments, compliance has many meanings and implications. There are rules issued by the card Associations that affect everyone who touches transaction data at any point along the way. And then there are the requirements-and fees-for registering with the Associations to represent them and sell their products.

Protecting the integrity of financial data has become an increasingly complex process. It's a spectrum, a continuum, and an ever-evolving challenge. Whether you embrace them or curse them, the regulations are intended to be safety precautions, not impediments.

While businesses in all industries struggle to keep information out of the wrong hands, data used by the payments companies is especially ripe for the plucking. After all, it's not just trade secrets or customer lists stored on servers ... and when the data are compromised, a definite chain reaction affects the businesses-merchants, processors, banks-as well as consumers. The importance of this issue right now doesn't have as much to do with national security or terrorism as it does with generating awareness in everyone who has anything to do with commerce, from consumers and merchants, to equipment manufacturers, banks and processors. It's more about brand protection and using the assurances of security to gain competitive footholds.

As a merchant or processor, for instance, being able to say that your business practices and methods for handling financial data meet a certain set of high standards is not only essential, it's good marketing.

Whether merchants or financial entities embrace or curse the prospect of meeting certain industry standards, the issue of compliance is unarguable. If you want to do business, you have to be compliant.

As David H. Press, Principal and President of Integrity Bankcard Consultants Inc., a Naperville, Ill.-based company that conducts compliance reviews of merchant, processor and bank business operations, said, "It's incumbent in this day and age of consumer awareness, with the number of people online: If you want to play in the game, you've got to know the rules and regulations."

Even though it has not always been easy to get those rules and regulations, it's up to payments sales professionals to keep their merchants up to speed on what's required of them on their end.

But the rules and regulations-what due diligence has to be done before a merchant is allowed to process, what information agents have to obtain on merchant applications, etc.-are lengthy and cover a lot of areas, Press said. And until recently, processors and ISOs, because they are not Association members, had a difficult time getting copies of the rules to pass along to their agents and merchants.

When Integrity Bankcard reviews businesses, Press said they see that every agreement says that all parties will abide by Visa/MasterCard regulations. They're finding that copies of the rules are now being made available more often these days to ISOs, where before they were not.

"Visa and MasterCard tell the members what the rules are, and those members-banks, credit unions, financial institutions-have a responsibility to follow the rules and regulations set by the Card Associations.

"But ISOs, even though they are not members, must also comply with the regulations," said Press. "Visa and MasterCard will not give them the regulations directly because they're confidential and provided only to their members."

However, he said, "The ISO must obtain a copy of the regulations from the member bank(s) they're registered with. It only stands to benefit the bank and the ISO.

"If you don't, you're doing a disservice to your organization and the merchants that are your clients.

"The worst thing that can happen is a merchant level salesman (MLS) goes out, signs up a merchant, and does not disclose fees or do their due diligence. The merchant processes transactions, and the next thing you know, they get fined by the associations. The merchant's going to scream, yell and say 'you never told me I couldn't do this' or 'you never said I needed that,' and then the merchant files a complaint with the Federal Trade Commission (FTC)," Press said.

Thanks to some high-profile cases in the past couple of years, awareness of the safety of financial data among merchants-and consumers-is growing. Press said. The Wal-Mart suit against Visa and MasterCard is one that helped bring the question of credit versus debit to the general public's attention.

These cases have caused the Associations to emphasize compliance more, too, said Press. "They've always pushed it, but they're pushing it more now. The lawsuits, and the FTC being more proactive, have awakened the sleeping giants of the Card Associations. It's about protecting the brand."

As of September 30, 2004, all Level 1 Merchants, or those who process more than six million transactions a year, must be compliant with Visa's Cardholder Information Security Program (CISP) compliance rules, so their level of compliance awareness is very high, said Micheal Petitti, a Managing Partner and Vice President of Sales and Marketing with Ambiron, an independent consulting firm based in Chicago specializing in security issues and enterprise information solutions.

"For Level 3 Merchants, or those that process less than a half-million transactions a year, there is no mandate for them just yet and there isn't a great deal of awareness among them," he said.

But the Associations are taking steps to correct that by sending letters to merchants; Ambiron is also beginning to contact merchants and work with them toward the inevitability of compliance deadlines, Petitti said.

TrustCommerce, an IP-based payment solutions provider in Irvine, Calif., recently received its second Visa CISP certification, meaning its standards for protecting transaction data meet those set by Visa. The company also commissions an annual survey to find out what are the most important issues for a random sampling of large Fortune 500 businesses and the smallest merchants in the marketplace.

This year's results showed that security is the most important attribute merchants consider when choosing an Internet-based payment processor, said Rob Caulfield, TrustCommerce CEO. "We wanted to gauge what the most pressing issues are and how we fit in with those," he said.

"There were 10 important attributes, including speed of transactions, reliability, price and technical expertise. But the number one issue identified in the survey was security.

"Cardholder data is precious cargo," Caulfield said. "There's no room for intrusion."

But not everyone is as well versed in this topic as they should be, and as with the law, ignorance of the rules is no excuse for non-compliance. If you, or your merchants, are confused by what the parameters of being compliant include for people in payments processing, take some comfort in the fact that you're not alone.

Consumer awareness, while increasing due to mainstream media coverage of identity theft and other types of fraud, could be better. So could the understanding of the rules on the parts of financial institutions and others in the payments industry.

As Press said, "This topic of compliance is huge and people don't know what they're supposed to do or what the implications are.

"The thing that amazes me is that we do reviews all the time of ISOs, banks and merchants that are not following the correct protocol, are not in compliance or don't know what the compliance should be.

And this is a multi-billion-dollar a year business!"

Petitti agreed. "The increasing complexity of regulations and requirements is causing confusion; we're finding it's a mixture of confusion and frustration.

Most people at the merchant level are not technical people. When it comes to translating the data and the security regulations of those programs into English, there's a definite level of frustration there."

That's why working with a compliance consultant is so important, Press said. "Get the rules and regulations, read them over, and have a basic understanding of what the Card Associations want you to do, or contact a consultant with expertise in the field.

"It's cheaper in the long run to pay somebody to make sure you are in compliance than it is to get fined by the Card Associations," he said. Compare the cost of a review, which might be $7,000 - $10,000 depending on the complexity of the operation, to the possibility of paying out hundreds of thousands of dollars in fines, which accrue daily, and increase exponentially with each security breach.

These issues and the standards established to deal with them aren't really anything new-the Associations' focus on compliance is not a response to the events of 9/11 or the passing of the U.S.A. PATRIOT Act in October 2001. Visa's Zero Liability policy, which took effect April 4, 2000, virtually eliminated consumer responsibility in cases of fraud involving Visa card transactions processed through the Visa network, including online purchases.

The policy removed both the $50 cardholder liability and the 48-hour reporting requirement in cases of fraudulently used Visa credit or debit cards. The Zero Liability policy applies to cards issued in the United States only, doesn't apply to commercial card or ATM transactions, or to PIN-based transactions not processed by Visa.

This would seem to make the prevention of fraudulent transactions imperative, placing the onus on merchants, processors and member banks.

That's exactly what Visa CISP does. MasterCard calls its equivalent program Secure Data Protection, or SDP; American Express has its Data Security Operating Policy, or DSOP program; the Discover Network established its Discover Information Security and Compliance, or DISC program.

Visa began talking about CISP before October 1999 and mandated the program as of June 2001.

CISP defines and sets "a standard of due care for securing Visa cardholder data, wherever it is located," as Visa puts it. Any business involved in storing, processing or transmitting Visa cardholder data must comply with CISP and is responsible for ensuring the compliance of their merchants and agents, whether they're issuers or acquirers.

All retail channels within the United States fall under CISP standards; international businesses must comply with Visa International's Account Information Security (AIS) program.

CISP involves 12 basic industry-wide requirements for handling cardholder data, including encryption, restricting access to the data, installing firewalls, maintaining security patches and system testing, as well as many sub-requirements.

Visa wants its financial institution Members to use service providers that are CISP compliant and to make sure that all its merchants and service providers are CISP compliant.

It sounds simple enough, but as Press said, people often believe they're doing things correctly, or have no idea that they're supposed to be doing anything at all. In order to become CISP compliant, merchants, banks and processors must enlist the services of a Visa-certified CISP assessor to review their systems and practices.

TrustCommerce recently received its second CISP certification; the first certification involved a 90-page assessment written on their operations-their servers were examined, employees and principals were interviewed, and a network breach was attempted, Caulfield said.

A spirit of cooperation seems to be factoring in to the process, and the Associations appear to be willing to make it less complicated for merchants and financial institutions to meet the standards they each set.

Various businesses and industry organizations also recognize that the complexity of the issues presents a daunting challenge in reaching compliance.

These consultants and groups are working to simplify the process for their clients and constituents through developing programs and initiatives that combine a variety of compliance concerns. Efforts are underway throughout the industry to create uniformity and eliminate some of the red-tape overlap.

(The Electronic Authentication Partnership and The Initiative for Open Authentication are two programs in which trade organizations and corporations are partnering that we'll detail in a subsequent article.)

For their part, the associations are taking proactive steps to inform businesses of their roles in protecting sensitive data, and to form a united front. All brands are communicating the same information about security requirements to merchants accepting their cards.

American Express, Diners Club, Discover Card, JCB, MasterCard International and Visa U.S.A. sent a letter in July 2004 to all merchants summarizing the uniform requirements governing cardholder information security all Associations support.

"People are finding that once they get their arms around the Visa regulations, it dawns on them that there are regulations for MasterCard, American Express and Discover as well," Petitti said. "They say, 'I have to go through this four separate times?" Ambiron has developed a Multi-Card Compliance Program, an online automated option for its clients.

But despite challenges, the people we spoke to for this article say the financial services system is very secure; they said the card associations have developed good programs for ensuring the safety of cardholder data and implementing best practices standards for certified providers.

"The system is a lot more secure than people believe it to be," said Press. "The number of hacking incidents in this industry is miniscule compared to others, because of the rules and regulations that are in place, and because of CISP and SDP certifications.

"The Card Associations' systems are very secure-you've never heard of anyone hacking into any of their mainframes to compromise account numbers. It's always at the merchant level.

"The core system itself is very secure, but as the core expands out to include new technologies, there are going to be vulnerabilities exposed," Press said.

While compliance requirements can be cumbersome-and many merchants aren't exactly thrilled to find out they have to complete the programs-Petitti said they're "very necessary in securing a supply chain that has grown so quickly.

"The card associations have come up with very good programs. If they can implement them and get adoption, they'll achieve the results they're looking for, which is a much more secure system across the entire supply chain.

"This is what is necessary to ensure the integrity of the entire system."

Because there is so much to the issue of compliance, we'll examine the rules and regulations, including Association registration for agents, more closely and look at ways various companies industry associations are helping merchants, processors, agents, banks and equipment manufacturers meet their compliance requirements in an upcoming article.