Uh Oh... Remember That $750 Visa Fee Thing? It Looks Like It May Be Going Up

**Lee** · 04-27-2005, 07:14 PM

CYBERSPACE - Beginning June 30, all e-commerce merchants who process, store, or transmit credit card holders’ information online will be subject to an enhanced security standard established by the credit card industry in an effort to curtail identity theft.

The revised rules, part of the Payment Card Industry Data Security Standard, comprise a 12-step security audit under which merchants will have to be certified annually. In addition, quarterly assessments of merchants’ security procedures and systems will be mandatory. Merchants who do not conform are subject to significant fines and, in extreme cases, revocation of transaction processing privileges.

Although the enhanced standard is aimed primarily at beefing up data security, it also serves to consolidate security measures across all major transaction processing networks. “Before this year, the PCI did not exist as it does now,” Rand Pate, communications director for adult industry Internet payment service provider (IPSP) Epoch Transaction Services, tells AVNOnline.com. “Previously, each card association had its own compliance requirements, the more familiar being the Cardholder Information Security Program [CISP] mandated by Visa, and the Site Data Protection [SDP] protocol required by MasterCard. In early 2005, the card associations came together to promote a unified data security standard,” which in its final form was adopted by all major card issuers.

Twelve Steps

The 12-point security plan insisted upon by the PCI consists of:

- Installation and maintenance of a firewall configured to protect data.
- Issuance of unique, not vendor-supplied, passwords for system passwords and other security parameters.
- Strong protection of stored data.
- Encryption of cardholder data and sensitive information over public networks.
- Installation and regular updating of antivirus software.
- Development and maintenance of secure systems and applications.
- Restriction of electronic access to cardholder data to only those who need to know.
- Assignment of a unique ID to each person with network access.
- Restriction of physical access to cardholder data.
- Tracking and monitoring of all access to network resources and cardholder data.
- Frequent testing of security systems and processes.
- Maintenance of a policy that addresses information security.

According to Visa’s website, the requirements of the PCI Data Security Standard “apply to all Members [sic], merchants, and service providers that store, process, or transmit cardholder data. Additionally, these security requirements apply to all ‘system components,’ which are defined as any network component, server, or application included in, or connected to, the cardholder data environment.”

Size (i.e., volume) matters

What that means for adult merchants, according to Netbilling Inc. President Mitch Farber, depends upon whether they have their own merchant accounts or process transactions through a third-party IPSP. “In most cases, an IPSP’s compliance means all of its client merchants are covered,” Farber says, noting that no final decisions have been made regarding high-volume merchants who fall under an IPSPs umbrella. “Merchants who have their own merchant accounts will have to comply at various levels, depending upon the volume of transactions they process.”

At least one financial industry analyst expects the data security standard’s consolidation to represent a moderate hardship on some merchants initially. Avivah Litan, research director at analyst Gartner, told E-Commerce Times that although the standard brings together differing schemes demanded by each credit-card giant and is designed to simplify the compliance process, “achieving compliance with these standards can still be very costly for merchants and acquiring banks.”

That’s not necessarily true, according to Farber, who said only independent merchants who process more than 20,000 transactions a year are subject to the terms of the revised security standard in their entirety, and even then fees are reasonable through the security auditing firms Netbilling’s bank recommends. “We’ve negotiated a deal with the two firms we recommend under which our clients pay $149 a year if they’re required to have the quarterly scans, and $99 a year if all they need is the annual audit,” he says. “For merchants that do fewer than 20,000 transactions a year, the annual audit is voluntary but recommended. However, the acquiring bank can make it mandatory. It’s really a good idea to comply regardless how many transactions you process, because compliance limits a merchant’s liability if their data is compromised.”

Costly, time-consuming—and necessary

The security requirements are nothing new for high-risk IPSPs like those that process for the adult industry, according to Pate, but his company doesn’t dispute it’s expensive and time-consuming to conform. “This could be problematic for some merchants, espcially those that do not have an in-house IT department that specializes in such matters,” Pate opines.

Paycom, which operates as Epoch in the adult in the adult space, knows that all too well, having successfully completed its fourth audit in as many years only two weeks ago, according to technology director Tony Keith.

“Paycom has successfully complied with the CISP audit and SDP for the past three years, and we completed the extensive PCI audit just days ago,” Keith says. According to Keith, the new security standard is much more intensive in what he calls “granularity” than previous CISP and SDP requirements.

“The card associations look at every aspect of our business,” Keith says. “It’s not just about technology, security, and policy. Everything from the infrastructure, documentation, physical location, internal systems, and even the personnel are evaluated, and there are strict, detailed requirements and assessments. The audit included many more detailed testing procedures this year. It is a time- and labor-intensive audit process, but one that makes sense and assures our clients that we are fully compliant with all security and card association requirements.”

Added Paycom Chief Technology Officer and Manager Joel Hall, “Of course, the PCI is what we consider a minimum set of requirements. We always strive to improve our security stance above and beyond what is required of us.”

The June 30 date for compliance by merchants was set in the wake of several recent high-profile consumer data leaks. In early- to mid-April, serious security breaches at financial institution HSBC North America and data merchants Lexis Nexis and ChoicePoint left hundreds of thousands of consumers vulnerable to identity theft and financial fraud when personal and financial information was obtained by hackers.

http://www.avnonline.com/index.php?P...tent_ID=224494

I wonder how much the CC companies are going to extort out of us this time around?

Regards,

Lee

Xstr8guy · 04-27-2005, 07:16 PM

Oh man, I can't read all of that today,

. Where does it say the cost is going up?

Corey Bryant · 04-27-2005, 07:20 PM

Fortunately, there are still some acquiring banks that do not have to charge those yearly registration fees

**Chilihost** · 04-27-2005, 07:30 PM

I would be extremely surprised if these measures were not already implemented by the big IPSPs, that stuff is all pretty standard fare. I would not stress over this unless you had your own merchant account and had to comply with this on your own terms....but then again, I am sure that if you use somewhere like netbilling once again this will prolly already be in place.

cheers,
Luke