Visa Puts Credit Security on You New credit card security standards focus on what happens to the data after consumers pay with plastic. Are you compliant? By Barney Wolf Credit card giant Visa is requiring restaurants and other merchants in the U.S. to meet stronger security standards for the payment software they use. The mandate that went into effect July 1 is the last in a series of rules that Visa put into place in an effort to secure sensitive information after a credit or debit card transaction is authorized. Merchants could be subject to fines if they don’t abide by the new rule, which requires third- party payment-application software to prohibit the storage of magnetic-stripe, personal identification number (PIN), or other authentication data. The mandate doesn’t pertain to merchants using in-house-developed payment applications, stand-alone hardware terminals, or PIN-entry devices. The cost of meeting the requirement depends on the software a restaurant uses, says Wenlock Free, vice president of business development for SecurityMetrics Inc., a Utah-based firm that helps businesses comply with data-security standards. “It may be just an inexpensive change, especially if the software is relatively recent,” he says, noting much of the newer software already meets standards. “But if the restaurant has been driving a Model T in terms of software, there may be a lot of upgrades that are required.” Banks, point-of-sale (POS) systems, and data processors also must comply with the Payment Application Data Security Standard (PA-DSS). Data theft is a major financial problem worldwide. According to research by Verizon Communications Inc., 285 million records were compromised in 2008. Another study, the 2010 Global Security Report prepared for data-security company Trustwave, found that third-party vendors or their software were responsible for more than 81 percent of investigations of a security incident or compromise last year. Payment-application software typically stores, processes, or transmits cardholder data as part of the authorization or settlement of a card transaction. The applications are traditionally used for POS systems and usually designed for PC-based architecture. Restaurants’ payment applications are often integrated, but with other computer solutions for everything from menu updates to purchasing and back-office functions. According to Visa, these integrated systems are the most common targets under attack by criminals. As a result, “the goal is to make sure all these payment applications are secure,” says Jennifer Fischer, senior business leader for U.S. payment system risk at Visa, which has more than 5 million American merchant locations and was the first to establish mandates. “We want to be certain that merchants are using applications that comply with industry standards and not using applications that may introduce vulnerabilities” to both the individual business and card-payment systems, she says. The standards were developed by the Payment Card Industry Security Standards Council, an organization founded in 2006 by Visa, American Express, Discover, JCB, and MasterCard to create consistent security guidelines for credit and debit cards. “Our one focus is to protect card data, how it’s stored, processed, and transmitted,” says Robert Russo, the council’s general manager. “We just set the standards.” The card companies determine mandates and deadlines. Lists of hundreds of validated payment applications are available from the council online or at Visa’s website. If a merchant has payment-application software that is not on the approved list, the business should call the third-party vendor and find out why, Russo says. The National Restaurant Association (NRA) released a statement from David Gilbert, chief operating officer, expressing that the organization is following the rule changes closely. The association “has been extremely active in pushing the education of both members and the industry, including education sessions last month at the NRA Show in Chicago,” Gilbert says. “The change will be difficult for all restaurants.” The statement blamed the credit card industry for being “slow and ineffective in addressing the data risk, and they are pushing responsibility, liability at every opportunity to merchants.” But most experts say it is in a restaurant’s best interest to have secure payment applications, with or without mandates. After all, a business that suffers a security breach may be fined, but it could face an even more serious, longer-lasting problem: the loss of customer confidence and damage to the merchant’s reputation.
Pages to are hidden for
"Free Payment Visa Credit Card"Please download to view full document