Visa and MasterCard Cracking Down on Small Merchants


Visa and MasterCard are cracking down on the security of small merchants who take credit cards online. The card associations have required security assessments from larger merchants for some time, but this is the first time they've required smaller merchants to certify. An article in the Wall Street Journal notes that it's for the merchant's own good:

The credit-card companies have little choice but to crack down. While it's true small companies may be less attractive targets than large ones, size is not a good measure of risk, experts say. Hackers regularly use automated programs to scour the Internet for computers with known security holes, which they can then attack at their leisure.

E-commerce companies are still in a mode of trying to keep things working, says Mr. Freund, and not in a mode of keeping things secure. But as large merchants step up security, Mr. Freund believes hackers will focus on targets with weaker defenses, often smaller firms.

The consequences of a break-in could be devastating; many small companies live and die by their ability to build a base of repeat customers, and a data loss can unleash a wave of customer defections. Companies that suffer security breaches will also face penalties and extra scrutiny from Visa and MasterCard.
From WSJ.com - Enterprise
Referenced Thu Apr 28 2005 09:23:44 GMT-0600 (MDT)

Certification isn't easy. You have to answer yes to every question on a fourteen page questionnaire. For many small companies, without a full time IT staff, becoming compliant will be a fairly onerous process. The questionnaire is based on the following twelve requirements:

  1. Install and maintain a working firewall to protect data
  2. Keep security patches up-to-date
  3. Protect stored data
  4. Encrypt data sent across public networks
  5. Use and regularly update anti-virus software
  6. Restrict access by "need to know"
  7. Assign unique ID to each person with computer access
  8. Don't use vendor-supplied defaults for passwords and security parameters
  9. Track all access to data by unique ID
  10. Regularly test security systems and processes
  11. Implement and maintain an information security policy
  12. Restrict physical access to data

Nothing too shocking here for anyone who's thought about computer security before. The price of being connected and participating in the Internet economy is living by the card association rule-sets. The result is better security for all of us.