Retailers rush to meet creditcard deadlines

Share this article:

Merchants scrambled this summer to meet a Sept. 30 deadline for compliance with Visa's Cardholder Information Security Program (CISP), while also working to meet requirements of a separate MasterCard infosec program.

CISP, launched four years ago, defines steps – including firewall and encryption requirements – merchants and service providers must take to ensure security of Visa cardholder data. Merchants that process more than six million Visa transactions annually faced the Sept. 30 compliance deadline while smaller merchants must comply by next March. Any that fail to comply face an initial fine of $50,000.

A lot of retailers were under the gun to comply with the CISP requirements, some of which are viewed as draconian, said Michael Rasmussen, Forrester Research analyst: "They require 30-day patching and a lot of things organizations aren't prepared to do."

Not only are CISP's security requirements daunting for merchants, but those which do business online also are dealing with MasterCard's Site Data Protection (SDP) program's 88 requirements, of which about 47 resemble CISP requirements, noted Pat Gilmore, a director at security consultancy InfoSecurityOne and vice-president of (ISC)2. MasterCard will begin assessing fines on large online merchants in January if they are not SDP compliant.

While Visa and MasterCard agreed to support only one network scanning program, they could agree to an overall consolidated program, said Gilmore, who is helping companies with compliance.

"Who's next? American Express and DiscoverCard? Why don't they just all get together and establish one program that all will be satisfied with?" she asked.

Visa did not respond to our requests for comment. A MasterCard spokesperson said that the company is working with Visa to find similarities between CISP and MasterCard SecureCode, an online authentication solution, and "align where appropriate."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

NIST finalizes cloud computing roadmap

NIST finalizes cloud computing roadmap

The NIST architecture is designed to accelerate the adoption of cloud computing.

Chinese MitM attack targets iCloud users

Chinese MitM attack targets iCloud users

The attack used a false certificate to trick iCloud users into handing over personal data and login credentials. With an attack of this size, some experts and researchers believe the ...

EPIC: driver data shared via V2V technology needs protection

The groups shared comments on V2V communications with the National Highway Traffic Safety Administration.