May 1, 2001 marked an important deadline for any merchant that accepts the Visa card for online transactions. On that date, Visa U.S.A. said it would begin mandating compliance with its Cardholder Information Security Program (CISP).

CISP, announced last September, is intended to ensure merchants and others in the credit approval chain have appropriate security measures in place to protect cardholder information. Although it was established with mail, telephone and Internet merchants in mind, it also applies to brick and mortar merchants that accept these other forms of transactions.

Beyond that, however, CISP lays out security guidelines that any business would do well to follow.

In a presentation at the recent E-Security Conference and Expo in Boston, John Shaughnessy, senior vice president, risk management, for Visa U.S.A., said the idea behind the "Digital Dozen" security requirements that are at the heart of CISP was to "create a 'duh' list — stuff that nobody could argue with."

Visa has done just that, as the Digital Dozen consists of practices that have long been espoused by security pundits as fundamental (see chart). Whether user organizations meet each of the requirements is another question, one that Visa is trying to address.

  Visa's Digital Dozen security requirements  
  1. Install and maintain a working network firewall to protect data accessible via the Internet.  
  2. Keep security patches up-to-date.  
  3. Encrypt stored data.  
  4. Encrypt data sent across networks.  
  5. Use and regularly update anti-virus software.  
  6. Restrict access to data by business "need to know."  
  7. Assign a unique ID to each person with computer access to data.  
  8. Don't use vendor-supplied defaults for system passwords and other security parameters.  
  9. Track access to data by unique ID.  
  10. Regularly test security systems and processes.  
  11. Maintain a policy that addresses information security for employees and contractors.  
  12. Restrict physical access to cardholder information.  
These top-level principles apply to all entities participating in the Visa payment system that process or store cardholder information and have access to it though the Internet or mail-order/telephone-order.

Visa is starting by validating that its top 100 merchants are in compliance with CISP, Shaughnessy said. Merchants provide feedback on their security practices to the Visa member bank they deal with, known as the acquiring bank. Visa, in turn, confirms validation using third parties such as KPMG and Arthur Andersen.

Validation may include on-site security reviews, tests of internal servers and authorized attempted intrusions.

Should any holes be detected, different paths are followed depending on whether the merchant has a compliance plan in place or needs to develop one. "We don't want to shut people down," Shaughnessy said. "But if someone is negligent or belligerent in terms of cooperation, then we'll take a different tack."

In a follow-up interview conducted in mid-May via email, Shaughnessy said the compliance process is going well.

"Visa has been tremendously successful in achieving its number one goal: getting e-Merchants and Acquiring Banks to bolster efforts to ensure online security," he said. "Merchants are submitting initial statements of compliance along with action plans to get there. We can't disclose particulars about specific merchants because of security issues, but the ultimate goal is to work together to make consumers feel confident in this new channel of payment."

Merchants outside the top 100 will be tested at random for CISP compliance, given Visa doesn't have the resources to test all of them.

Visa also requires any merchant that gets hacked to immediately inform their acquiring bank; the bank, in turn, lets Visa know. During his E-Security show presentation, Shaughnessy insinuated Visa may impose fines or other sanctions on any merchant that fails to inform the acquiring bank of an intrusion.

"We tend not to disclose the specifics about actual sanctions we impose," Shaughnessy said. "But know that Visa is serious about making e-commerce as safe as possible for consumers."

For merchants, the message Visa is sending is simple.

"Unless you pass our requirements, we don't want you taking the Visa card," Shaughnessy said in his presentation. "That sounds harsh, but with our brand involved, we think it's a stand we have to take."

The program will soon extend to Internet Service Providers and other third parties that support Visa members in transacting business, he said, although details have yet to be announced.

"While Visa doesn't have direct contractual relationships with these entities, we do with our members. So working through our members, we're putting in place an infrastructure to strengthen security," Shaughnessy said in the email follow-up. "It's our members that have to deal with secure third parties and agents, after all, which is the thinking behind this strategy."

For more information, go to: