A Must for 2005: CISP and SDP Compliance Reviews By David H. Press
predict one of the hot and compelling issues for the ISO community in 2005 will be the hefty fines charged by Visa U.S.A. and/or MasterCard International for security breaches of the ISO's or one of its merchant's systems that result in the compromise of cardholder data.
The card Associations require certification of all entities that store, process or transmit Visa or MasterCard cardholder data. Visa's program is called the Cardholder Information Security Program (CISP) and MasterCard's is the Site Data Protection (SDP) service.
Every day hackers attack and breach computer systems and compromise cardholder account data. An organized and profitable criminal enterprise, mostly centered in Eastern Europe and Russia, carries out this practice.
As ISOs increasingly provide merchants with transaction details and other information/services via the Internet, they become more vulnerable to attack.
Visa created the CISP program specifically for merchants and service providers that process, store or transmit cardholder data. The Association mandated the program to take effect May 1, 2001.
And as of Sept. 30, 2004, Visa required service providers (which includes many ISOs) to submit compliance documentation (see http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_service_providers.html).
The number of entities now certified is far less than the card Associations require to be certified.
The result of this lack of certification will be fines and more fines to ISOs and merchants who are not compliant in 2005 and massive fines (i.e. $500,000 from Visa alone) for those who are compromised and are not CISP or SDP certified.
Visa's CISP compliance penalties for failure to comply with CISP standards or to rectify a security issue might result in:
1) Restrictions on the merchant or 2) permanent prohibition of the merchant or service provider's participation in Visa programs. In addition, the following fines apply for non-compliance, within a rolling 12-month period:
- First Violation - $50,000
- Second Violation - $100,000
- Third Violation - Management Discretion
For loss or theft of account information:
- If a Visa member knows or suspects a security breach with a merchant or service provider, the member must take immediate action to investigate the incident and limit the exposure of cardholder data.
- A Visa member or the member's service provider, or a merchant or the merchant's service provider, must immediately report the suspected or confirmed loss or theft of any material or records that contain Visa cardholder data.
- If a Visa member fails to immediately notify Visa U.S.A. Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000
per incident.
- Visa might levy additional fines for exceptional circumstances where the violation presents immediate and substantial risks to Visa and its members. A member that Visa determined committed an egregious violation (i.e. ISO that is not CISP certified) will be subject to a fine of up to $500,000.
For MasterCard, an acquirer is subject to an assessment in cases of account data compromise.
MasterCard rules require members to ensure that all e-commerce merchants and ISO/MSPs secure all systems containing MasterCard account, cardholder or transaction information (whether physical or electronic) to prevent access by or disclosure to any unauthorized party.
If an intrusion occurs, whether in the acquirer's merchant systems or in an ISO's/MSP's systems, the acquirer must provide MasterCard with complete information about the compromise and engage a data security firm to assess the vulnerabilities of the merchant or ISO/MSP systems.
MasterCard also can impose assessments, including an incident assessment, administration fees, and issuer card-recovery fees on the acquirer.
If an ISO's system is compromised, the ISO should expect that both Visa and MasterCard will fine it, but it doesn't stop there. Visa charges all transactions to the offending merchant/ISO/processor, and MasterCard charges the offender for each new card that the issuers must re-issue to the cardholder as a result of the breach.
Many ISOs have delayed going through the CISP/SDP certification process because of the cost involved. The fine structure that's in place today could drive an ISO out of business if its system is breached.
Having CISP/SDP certification (think of it like an insurance policy) can protect the ISO from the massive fines from the card Associations for breaches of its system when it's non compliant.
Even the fine schedule for non-compliance (see previous page) would cost the ISO more than the typical CISP/SDP certification process. It's like driving recklessly: Not only do you not want to get stopped by police, but you also don't want to get in an accident or harm someone else.
But it doesn't stop there. Many states have adopted consumer disclosure provisions similar to the California provision that requires:
"[A]ny agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
"The disclosure shall be made in the most expedient time possible and without unreasonable delay ... consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system." (For more information, go to http://www.privacy.ca.gov/code/cc1798.291798.82.htm#one .)
For more information on the CISP requirements, refer to my previous article, "Visa's Cardholder Information Security Program (CISP)," The Green Sheet, Dec. 22, 2003, issue 03:12:02.
Both Visa and MasterCard provide detailed information about the programs on their Web sites:
David H. Press is Principal and President of Integrity Bankcard Consultants Inc. Call him at 630-637-4010, e-mail him at dhp@integritybankcard.net
or visit www.integritybankcard.net .
|