e've been hearing, and talking, about compliance in the payments industry a lot lately.

As awareness of protecting financial information grows, the card Associations, acquirers, equipment manufacturers, merchants and even consumers are all concerned about identity theft, database hacks, card skimming, phishing, Web sites offering stolen account numbers for purchase, check forgery and the numerous schemes that keep surfacing on a regular basis.

Because of the far reaching implications resulting from system breaches, protecting the security of transaction data grows more important all the time. No one benefits when the issues are not addressed: Merchants lose money, card brands lose value, and individuals lose good credit ratings and the time it takes to repair them.

Conducting business in the payment processing business is far more complex now than ever before: There are now more people using more payment methods in more locations, and transaction data come in contact with more touch points along the way.

This means there is also far more potential for crooks to get involved. We all know that complying with standards to protect cardholder account information makes sense, but when there are a seemingly overwhelming number of standards and rules to follow, what it means to be compliant isn't always crystal clear.

Business owners might grumble about the added expense of conducting assessments and fixing vulnerabilities in their systems; they might procrastinate over submitting paperwork, and they might be confused over exactly what it is they're supposed to do. They might not even be aware that they're at risk.

The bottom line, though, is maintaining the integrity of the data and the systems that transmit them.

One Common Language of Compliance

The card Associations have worked diligently to establish standards of security for protecting their customers' accounts; banks, acquirers and processors are expected to implement the standards and follow the regulations.

Visa's Cardholder Information Security Program (CISP); MasterCard's Site Data Protection (SDP); American Express' Data Security Operating Policy (DSOP) and Discover's Information Security and Compliance (DISC) are all specific programs that spell out requirements for the systems that handle transaction data.

The downside to this has been that until recently there were four separate sets of standards to comply with, four reports to file, and so on. Despite their similarity of purpose and content, each brand maintained its own program.

Now comes the Payment Card Industry Data Security Standard (PCI), the alignment of MasterCard's and Visa's security requirements. The Associations officially introduced the new standard in December 2004.

Before your merchants stage a mutiny, ISOs and merchant level salespeople (MLSs) should understand that this is not yet another set of rules to follow, but a collaborative effort between MasterCard and Visa to simplify the process and get everyone on the same compliant page.

PCI is a reorganization of the fundamental foundations of CISP and SDP, according to John Shaughnessy, Senior Vice President of Fraud Control and Operations with Visa U.S.A. "Both the CISP and SDP programs remain unchanged," he said. "The PCI Security Standard was created to provide a common and more efficient framework for both.

"Merchants and service providers will now be able to assess the status of their security by using a single validation process for all card companies. This will result in lower costs, reduced complexity and wider acceptance of standard security requirements for the industry."

"PCI standards are really just technical requirements," said John Verdeschi, Vice President, eBusiness and Emerging Technologies for MasterCard International. "The security program that acquirers deploy to their merchants is SDP, which is based on the requirements of PCI.

"Think of PCI as being in the middle, forming the foundation for MasterCard's SDP program and Visa's CISP program."

PCI standards are not new or innovative approaches to security. The requirements incorporate many principles of data security best practices, with adjustments to accommodate considerations in payments.

"PCI is based on a lot of well-known security practices and common sense, but it's also based on our own experiences over the last couple of years in response to breaches," Verdeschi said. "The standard is focused specifically on the payment card industry and what an entity can do to protect card data that is stored."

Financial services is an area that is certainly well regulated by industry organizations and the government, but trying to make those established standards fit payment processing like a glove often leaves issues unaddressed.

"Many times we're asked, 'Is Sarbanes-Oxley enough? Is this standard enough?' and the response is 'No, not necessarily,'" Verdeschi said.

The fact that the two card Associations put down the gauntlet long enough to establish a common industry standard says a great deal about how critical they feel the threat from fraud is.

In fact, PCI has been endorsed by other card brands in the United States and globally, according to both Shaughnessy and Verdeschi. With that endorsement, and with the incorporation of the standards as the frameworks for their respective security programs, PCI establishes a worldwide standard for consumer data protection across the payments industry.

It's not only that the frequency and types of fraudulent activity have increased recently giving cause for concern. The increase in e-commerce transactions, as well as the increase in merchants using Internet protocol (IP)-based payments solutions to transmit transaction information, also contribute to fears over fraud. Even merchants who are just connected to the Internet or who use e-mail are at risk.

"Data security is very much seen as a non-competitive issue, and one that is really for the good of the payment card industry as a whole," Verdeschi said.

"Over the last couple of years, MasterCard and Visa have pursued different but related approaches to protecting account data. Our common goal is to protect the account numbers of our cardholders, which are being stored by various merchants and service providers on the Internet and elsewhere.

"We've realized that while we have similar goals, having different approaches is counter-productive. What we're looking for is mass adoption of security measures," Verdeschi said.

PCI is comprised of 12 main requirement headings and sections and sub-sections within those. These apply to all members, merchants and service providers that store, process or transmit cardholder data, including, but not limited to, firewalls, routers, databases, e-mail services, wireless access points and internal and external Web applications.

With PCI, the card Associations have redefined merchant levels to include a broader swath of e-commerce transactions than SDP or CISP.

J. Chris Noell, Vice President of Business Development for Solutionary Inc., a security assessment and risk management consulting company, said merchants' experiences have been unlike those of banks or financial institutions, which have been dealing with compliance and regulatory issues for years. For merchants, the mindset is completely different.

"The average merchant, and it doesn't matter how large they are, doesn't always fully understand the complexity of the process and why this is so important," Noell said.

Communicating compliance information to merchants becomes the responsibility of sales agents, as their direct connection with the payment card industry.

Fraud's New Look

The sophistication of fraudsters and the methods they employ increase all the time.

One excellent example is the 62-count indictment handed down in October 2004 by a federal grand jury following an investigation by the U.S. Department of Justice (DOJ) against the so-called Shadowcrew Operation.

According to the DOJ, 19 individuals from the United States and several other countries operated a Web site called "Shadowcrew" with 4,000 members whose sole purpose was to facilitate the theft and distribution of bank account information and identification documents.

Shadowcrew members allegedly trafficked a minimum of 1.7 million stolen credit card numbers and caused losses in excess of $4 million, an amount that Noell said is likely an understatement.

"Look at the threats PCI is designed to address," Noell said. "The threat is hackers out there becoming increasingly organized, international and professional. The face of the criminal has changed; it's not teenagers who play Dungeons and Dragons on the weekends anymore.

"They're more profit-oriented and realize the increased potential for success over old-fashioned card-skimming, where you have to be physically present to commit the crime and get one card at a time. The new easy way allows them to stay in a country where what they're doing might not even be illegal, compromise a merchant database that stores millions of cards, and get access to 100,000 at a time," he said.

Everyone agrees that something like PCI had to happen, not only in response to the increase in e-commerce but also because there are now more merchants with Internet connectivity and using IP-enabled terminals to process payments. The implementation of a single language that applies to anyone who touches cardholder data leaves no room for guessing who's responsible for what.

"This is extremely important because the environment we're all working in is growing more and more complex," Verdeschi said. "There are more entities participating in it, and there are more touch points. It becomes important that the industry have one source to go to to learn how to protect that data."

"From a risk perspective, if you have any connection to the Internet, and your network is also connected to your database where you store cardholder and transaction information, it doesn't matter if you're doing e-commerce or brick-and-mortar," Noell said.

"Someone can compromise your Web site, e-mail or other service and use that to penetrate into your internal network and get to that database, and that's what matters."

Verdeschi said that keeping abreast, and ahead, of the fraudsters is one of the challenges security developers face; PCI, as the common standard, allows the industry to be a lot more nimble in its overall response. The ability to update PCI is one of the program's key factors.

"There will always be new threats and we need to be able to react to those," Verdeschi said. "Our intent here is to be proactive, but at the same time, you have to be reactive. You have to work both of those in tandem."

Shaughnessy agreed, and said that the ultimate goal is to provide consumers with a positive, secure transaction experience. "This is the best insurance out there," he said. Fighting fraud is an ongoing battle, and the whole industry continues to rally around coming up with effective data security solutions."

"The most important thing here is that what you're seeing is the industry is coming together and stating emphatically that data security is a non-competitive issue," Verdeschi said.

"It is a critical issue for the industry, and by having one standard, we've raised the bar and we're setting an expectation that if you want to participate in the payment industry, it is expected that you will secure data in accordance with the data security standard.

"Our belief is that if the industry is working together, it's only better for everyone."

When merchants gripe about looming deadlines for validation paperwork, the hassle of going through assessments and the expense of repairing weak links in their systems, ISOs/MLSs should take the opportunity to educate them, and to direct them to processes and equipment that will enable their compliance.

"I believe that ISOs have a nice market opportunity that many are not capitalizing on," Noell said. "As you go through the security assessments, you find that a lot of the older payment processing and POS gear will have to change and be upgraded."

For example, he pointed to regulations regarding card account number truncation, which say that only a few of the digits can be printed on receipts.

"Maybe a merchant has a really old system that prints the whole number; that's a sales opportunity for an ISO, and there are a ton of others," Noell said. "They can be recommending and referring [security and compliance assessment consultants] and taking a piece of the action.

"Sales agents are the ones with the relationship with the merchants, and from the merchant's perspective, I think they'd like to see one party taking responsibility for all their payment processing issues, not just the non-security-related ones," he said.

"There's an opportunity for them to profit from these security standards."