Retailers rush to meet creditcard deadlines

Share this article:

Merchants scrambled this summer to meet a Sept. 30 deadline for compliance with Visa's Cardholder Information Security Program (CISP), while also working to meet requirements of a separate MasterCard infosec program.

CISP, launched four years ago, defines steps – including firewall and encryption requirements – merchants and service providers must take to ensure security of Visa cardholder data. Merchants that process more than six million Visa transactions annually faced the Sept. 30 compliance deadline while smaller merchants must comply by next March. Any that fail to comply face an initial fine of $50,000.

A lot of retailers were under the gun to comply with the CISP requirements, some of which are viewed as draconian, said Michael Rasmussen, Forrester Research analyst: "They require 30-day patching and a lot of things organizations aren't prepared to do."

Not only are CISP's security requirements daunting for merchants, but those which do business online also are dealing with MasterCard's Site Data Protection (SDP) program's 88 requirements, of which about 47 resemble CISP requirements, noted Pat Gilmore, a director at security consultancy InfoSecurityOne and vice-president of (ISC)2. MasterCard will begin assessing fines on large online merchants in January if they are not SDP compliant.

While Visa and MasterCard agreed to support only one network scanning program, they could agree to an overall consolidated program, said Gilmore, who is helping companies with compliance.

"Who's next? American Express and DiscoverCard? Why don't they just all get together and establish one program that all will be satisfied with?" she asked.

Visa did not respond to our requests for comment. A MasterCard spokesperson said that the company is working with Visa to find similarities between CISP and MasterCard SecureCode, an online authentication solution, and "align where appropriate."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

TorrentLocker developers patch error

Victims had been able to restore encrypted files without paying a ransom.

Home Depot: breach risks 56M payment cards, 'unique' malware used

Home Depot confirmed that approximately 56 million payment cards may have been compromised as result of a malware attack.

Gartner: 75 percent of mobile apps will fail security tests through end of 2015

Gartner: 75 percent of mobile apps will fail ...

As BYOD and mobile computing become more critical to business, app downloads will raise security risks.