recently attended the 2005 MasterCard Acquirer Days meeting in Atlanta. The event, usually devoted to sales, marketing and operational announcements, instead was dominated by one topic in particular: security. More than half of the agenda focused on cardholder security issues, primarily in terms of MasterCard and Visa U.S.A.'s Payment Card Industry Data Security Standard (PCI).

A presentation from John Bartholomew and Wenlock Free of SecurityMetrics, a payment card industry security firm based in Orem, Utah, was particularly interesting. They presented a live Web site hack and compromise. They also discussed online tools and resources, easily accessible to most people, for exposing common hacking practices and protocols.

Their overall message: Any computer connected to the Internet is a target, and hackers can access and compromise the most vulnerable systems in only seven minutes. Fortunately, we can reduce the likelihood of an attack by taking some basic preventative measures such as installing firewalls and using intrusion detection technologies.

In their presentations, Bartholomew and Free emphasized the importance of the industry-wide security policies and standards, such as PCI, and how these standards are essential for all computers connected to the Internet.

Most importantly, the card Associations now require these for the majority of Web sites and software applications that conduct e-commerce transactions.

What Are PCI Security Standards?

Visa's Cardholder Information Security Program (CISP) is a set of rules for securing computer systems from unauthorized access and loss of credit card data. Visa established these rules several years ago and required large credit card processors to implement them; however, the Association only recommended compliance for most merchants accepting credit cards.

PCI is a new, industry-wide standard that incorporates many of Visa's CISP rules but also has additional requirements. Visa, MasterCard, American Express Co., Discover Financial Services, and other card issuers now recognize and adhere to the new PCI standard as a part of their data security programs.

PCI regulations require that merchants encrypt credit card numbers; however, they also specify rules related to card verification value (CVV) codes for card security and other security-related fields.

The rules require that merchants do not store card security codes on their systems (see "PCI: Card Associations Unite to Fight Fraud With Collaborative Standard," The Green Sheet, Feb. 14, 2005, issue 05:02:01).

Who Is Subject to PCI Rules?

According to Visa, any merchant processing more than 500,000 transactions a year must comply with PCI rules. For MasterCard, any merchant accepting at least $125,000 in transactions a month must comply with PCI rules. Other card issuers have different rules; however, most are adopting or recognizing Visa's.

Most card issuers reserve the right to require merchants to meet the rules, and any loss of data will certainly result in an audit and rules requirements. As an ISO or merchant level salesperson, consult your bank or card processing vendor to determine if any of your merchants must comply with PCI rules.

Visa also states that acquirers are responsible for determining the compliance validation levels of their merchants.

All merchants will fall into one of the four merchant levels. They will be prioritized based on transaction volume and potential risk and exposure introduced into the Visa system. Visa bases the transaction volume on the aggregate number of Visa transactions from a Doing Business As (DBA) or a chain of stores (not a corporation that has several chains). Merchant levels are defined in the chart to the right.

In addition to adhering to the 12 security requirements and sub-requirements detailed in the PCI Security Audit Procedures, Visa requires compliance validation for Level 1, Level 2, and Level 3 merchants and strongly recommends it for Level 4 merchants (see chart below).

Even if the majority of your merchants do not meet the minimum requirements for PCI compliance, there are other good reasons to get them to adhere to these rules.

Complying with the PCI standards will help in meeting other state and federal regulations for data security such as the Gramm Leach Bliley, Sarbanes-Oxley, and Health Insurance Portability and Accountability acts, to name only a few.

It's safe to say that the card Associations are serious about the PCI standards. Both Visa and MasterCard impose stiff fines of up to $500,000 to non-compliant merchants. It's also clear that the Associations are trying to send a strong message to the federal government. They want to convey that they can regulate the payment processing industry without intervention from Capitol Hill.

For more information on the Visa/MasterCard PCI rules and regulations, please contact your acquirer or processor, and visit the following Web sites:

• Visa CISP: http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_merchants.html
• MasterCard SDP: https://sdp.mastercardintl.com
• SecurityMetrics: www.securitymetrics.com

Peter Scharnell is Vice President of Marketing for Electronic Exchange Systems (EXS), a national provider of merchant processing solutions. Founded in 1991, EXS offers ISO partner programs, innovative pricing, a complete product line, monthly phone/Web-based training, integration services and, most of all, credibility. For more information, visit EXS' Web site at www.exsprocessing.com or e-mail him at peter.scharnell@exsprocessing.com . EXS is a registered ISO/MSP for HSBC Bank USA, National Association.