Technometria

Home
Why Technometria?
RSS
Atom
Podcast Feed
Add to Google

Recommend This Site

About Phil

Brief Bio
Contact Info
Phil on Twitter
Speaking
InfoWorld
Photo Albums
Video Favorites
CTO Breakfast

Essays

2006
2005
2004
2003
CIO White Papers

Software

Packages

Topic Guides

Understanding RSS
Digital ID Policies
Understanding VoIP
Internet Application Performance
Setting Up a Linux Server
Public Service Tips

Categories

Blog TagCloud

Archives

August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
May 2002

Utah Tech Organizations

BYU Unix User's Group
Provo Linux User's Group
Utah Valley Linux User's Group
Ubuntu Utah
Salt Lake LUG
USU Free Software and Linux Club
Greater Utah BSD User Group
Utah PHP Users Group
Utah Python User Group
Utah Ruby Users Group
Ogden Area LUG
Southern Utah Unix Users Group
UtahSAINT

Copyright

Copyright © 2002-2006 PJW LC. Some rights reserved. Technometria is a trademark of PJW LC in the United States and other countries.

« Ten Laws of the Modern World | Main | Is WS-MetadataExchange Really Necessary? »

Visa and MasterCard Cracking Down on Small Merchants

Visa and MasterCard are cracking down on the security of small merchants who take credit cards online. The card associations have required security assessments from larger merchants for some time, but this is the first time they’ve required smaller merchants to certify. An article in the Wall Street Journal notes that it’s for the merchant’s own good:

The credit-card companies have little choice but to crack down. While it’s true small companies may be less attractive targets than large ones, size is not a good measure of risk, experts say. Hackers regularly use automated programs to scour the Internet for computers with known security holes, which they can then attack at their leisure.

E-commerce companies are still in a mode of trying to keep things working, says Mr. Freund, and not in a mode of keeping things secure. But as large merchants step up security, Mr. Freund believes hackers will focus on targets with weaker defenses, often smaller firms.

The consequences of a break-in could be devastating; many small companies live and die by their ability to build a base of repeat customers, and a data loss can unleash a wave of customer defections. Companies that suffer security breaches will also face penalties and extra scrutiny from Visa and MasterCard.
From WSJ.com - Enterprise
Referenced Thu Apr 28 2005 09:23:44 GMT-0600 (MDT)

Certification isn’t easy. You have to answer yes to every question on a fourteen page questionnaire. For many small companies, without a full time IT staff, becoming compliant will be a fairly onerous process. The questionnaire is based on the following twelve requirements:

  1. Install and maintain a working firewall to protect data
  2. Keep security patches up-to-date
  3. Protect stored data
  4. Encrypt data sent across public networks
  5. Use and regularly update anti-virus software
  6. Restrict access by “need to know”
  7. Assign unique ID to each person with computer access
  8. Don’t use vendor-supplied defaults for passwords and security parameters
  9. Track all access to data by unique ID
  10. Regularly test security systems and processes
  11. Implement and maintain an information security policy
  12. Restrict physical access to data

Nothing too shocking here for anyone who’s thought about computer security before. The price of being connected and participating in the Internet economy is living by the card association rule-sets. The result is better security for all of us.

Posted by windley on April 28, 2005 9:20 AM

See related posts:

 Share this article on Facebook
 Email this article to a friend
  Post this article to del.icio.us
 Format this article for printing
Get the TinyURL for this page

4 Comments

Comment from Cid Dennis at April 28, 2005 11:53 AM

Just another reason to use Paypal if you are a small merchant.

Comment from derek holley at April 28, 2005 10:55 PM

this would not be an issue if there was somthing in place to make sure that before a credit card was used by any company it had to be authorthized via e-mail any and every time it is used otherwise no transaction. It should not be accepted without email approvall. The problem lies with the vender and the bank, if the vender can cash the card and the bank aceptts it on good faith, both the vender and the bank make money even if it screws the customer.

Comment from Nathan at April 30, 2005 2:02 PM

[Aside: Phil, I wish your comments allowed some kind of formatting. Both regular newlines and HTML breaks were stripped from my comment, so you'll just have to pretend my dashes are nicely formatted line breaks]
-------
Finally the general public is starting to get wind of this! This is the first time you've directly mentioned stuff I deal with every day in the nearly 2 years I've been reading your blog, so I've got to comment!
-------
One big point that you failed to mention, Phil, is that in addition to answering the questionnaire, merchants are required to run external security scans (by an approved vendor) against all machines with a public IP address that the company runs, including the public IP of any office routers. (There are some exceptions in cases of large organizations like universities that have a large number of active public IP addresses)
-------
We've been working in exactly this space for the past FIVE years at SecurityMetrics in Orem (www.securitymetrics.com), and only now is the need for security really becoming public knowledge. We've been offering access to an online version of the questionnaire you mentioned (which lets you save your answers and come back to them later), as well as automatic compliance reporting to the merchant's acquiring organization to anyone who purchases a Site Certification.
-------
In response to the comments above:
-------
1) No Cid, just using paypal doesn't exempt your organization. If your organization has any Internet presence, you'll need to be compliant (see below)
-------
2) Derek, merchants already have the option to require exactly matching billing information (Full name on card + billing address), and yet there are still any number of places to purchase things using only a card number and expiration date. Why? If you've ever tried to purchase something from a place that requires full matching information, then you know what a pain it is. Did you use your full first name on the card? Did you use a period or not after your middle initial? Did you even have your middle initial on the card? Did you use your home or office address? What was that zip code at the office? Did you use "Ave." or "Avenue", "St." or "Street"? Etc. etc. etc. It's a pain in the rear and many people will simply purchase somewhere else to avoid the hassle. Adding a requirement for live interaction via email would not solve any problems.
-------
There's been a lot of confusion about the whole Payment Card Industry Data Security Standard (PCI DSS) Compliance process as far as who has to do this and why. It boils down to this:
-------
Who has to be "compliant"?-------
Anyone who has a merchant account with Visa, MasterCard, American Express and/or Discover Card (i.e. your organization accepts any of those cards as a form of payment) AND the organization has any internet presence, including informational-only web sites and office internet access.
-------
Why Visa, MasterCard, et al. want compliance:-------
Fraud is expensive! At a minimum you have to physically replace all compromised cards, refund fraudelent charges, etc. etc. Each of the big hacks you read about in the news cost credit-card organizations huge bundles of money.
-------
Why from the merchant's viewpoint #1:-------
Fines from card associations like Visa typically START at $50,000.00 + $20 per card number compromised in anyway. So if 5,000 card numbers were compromised, a normal fine would start at around $150,000.00. That's typically more than the average company can easily handle. However, if the merchant is "compliant", meaning they are being periodically scanned by an approved vendor (and passing the scans) and have truthfully completed the questionnaire (answering yes to all the questions), then the fine is typically waived.
-------
Why from the merchant's viewpoint #2:-------
Implementing security "best practices" according to the questionnaire and doing real life external vulnerability scans to verify that implementation translates to better security in a real sense. Not only will the credit card numbers be better protected, but all the other important electronic aspects of your business will benefit from the security as well.
-------
So what's the price of security anyway? Well, unless you're a large merchant (and 95% of organizations aren't), it's an annual $99 scan (at www.securitymetrics.com anyway) plus whatever it takes to answer the questionnaire truthfully.
-------
If anyone wants/needs any more information, I'd be happy to point them in the right direction. Just decypher my email address below. :)
-------
nathan (at) no.spam securitymetrics.com
(Without the "no.spam")

Comment from Nathan at April 30, 2005 2:04 PM

I must amend my "Aside" from my last comment:

Your "Preview" doesn't show line breaks! But apparently the actual comment preserves them. Makes for a not-very-useful preview :-)