GS Logo
The Green Sheet, Inc

Please Log in

A Thing

CISP Responsibility Spreading: Why Should ISOs Worry?

By Marco Mabante

Recent reports attributed alleged security breaches at Polo Ralph Lauren retail stores to the storage of credit card information on POS software. As the security battle intensifies between businesses and intruders, the stakes and the requirements for all parties, including ISOs, increase.

The Polo Ralph Lauren incident is only the latest in a string of widely publicized occurrences of compromised consumer data. With the advent of Internet connectivity to POS systems, data that were previously isolated from the rest of the world now might be exposed through an Internet connection if security flaws exist.

This connection is where the big hacks at store-level POS systems occur. The crimes dramatize the increasing risk of non-compliance with card Association security rules. Another concern is the cost incurred for non-compliance: Merchant fines might be as much as $500,000, but every company in the payments supply chain is potentially subject to penalties and costs.

One ISO, that asked not to be named in order to preserve its litigation options, told VeriFone Inc. that it was assessed tens of thousands of dollars as its share of MasterCard International auditing and re-issuance costs. The acquirers passed along the costs as a result of problems with a payment gateway.

The Federal Trade Commission reports that cardholders and issuers lose hundreds of millions of dollars each year to credit card fraud. A major component of this fraud is theft of cardholder information after consumers have entrusted it to merchants. To prevent loss of consumer confidence, it is critical that merchants and payment solutions providers take the appropriate measures to secure customer card data.

In an effort to rein in fraud, provide security guidance to merchants and give cardholders peace of mind, Visa U.S.A. instituted the Cardholder Information Security Program (CISP). Visa's intent with this program is to protect Visa cardholder data, wherever it resides, and to ensure that members, merchants and service providers maintain the highest information security standards.

Visa requires all merchants and service providers that store, process or transmit Visa cardholder data to be CISP compliant. To achieve CISP compliance, merchants and service providers must adhere to the Payment Card Industry Data Security Standard (PCI), a set of guidelines for safeguarding sensitive data for all card brands, including Visa U.S.A., MasterCard, American Express Co. and Discover Financial Services.

Meeting Visa's CISP requirements is no small task, but it is critical. Consumers need assurance that credit card information won't fall into the wrong hands. Achieving compliance costs less than hiring vendors and staff to fix a compromised system following an incident of fraud.

Merchant customers will also face the risk of whopping fines and possible removal from Visa's system. The heart of Visa's compliance program consists of 12 steps. The validation requirements include maintaining a working firewall; updating security patches; protecting stored data; and encrypting transmission of cardholder and sensitive data across public networks.

The requirements also include using and updating anti-virus programs; assigning unique IDs to employees with computer access and tracking them; and changing vendor-supplied defaults for system passwords and security measures.

The certification dictates that merchants regularly test security systems and processes, maintain information security policies for employees and contractors, and restrict physical access to cardholder data. Although there is not a formal CISP certification program for software applications, Visa recently developed a voluntary validation program, Payment Application Best Practices (PABP), to help software vendors create secure payment applications.

Visa derived the PABP validation requirements from the PCI standards mentioned earlier. For Visa to consider a payment software application secure, it must not retain full magnetic stripe or card verification value (CVV2) data; it must also support a merchant's ability to comply with CISP requirements.

Some of the best practices include providing secure password features; logging application activity; protecting wireless transactions; storing data from Internet transactions only within an internal network; encrypting sensitive traffic over public networks; and encrypting administrative access. One of the areas that has caused problems for payment gateways in the past is the writing of card information into log files.

PABP has been voluntary because Visa has no authority over third-party software developers. But this changed in April 2005 when First Data Merchant Services (FDMS) issued a notice that it is mandating PABP compliance for software products from vendors certified or planned for certification on any FDMS platforms. If acquirers, software developers and merchants all have to comply in some manner with CISP, why should an ISO worry?

As the ISO mentioned earlier found out, liability tends to roll downhill. It appears that Visa and acquirers are building tall legal battlements to protect themselves from future legal liability.

When future consumer security breaches lead to lawsuits, it's likely that trial lawyers will seek the weak links in the payment provider supply chain. ISOs need to be alert to ensure the third-party software solutions they deploy with merchants are CISP compliant and stay that way in the future as the standards evolve. Everyone involved in the POS software market must look to the future and embrace a long-term strategy for a more secure payments industry. Taking ownership of some of the CISP responsibilities, side by side with retailers, forges strong bonds and a priceless return on that investment.

Marco Mabante is Vice President, Compliance and Integration with VeriFone. Call him at 912-527-4507 or e-mail him at .

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Back Next Index © 2005, The Green Sheet, Inc.