Retailers rush to meet creditcard deadlines

Share this article:

Merchants scrambled this summer to meet a Sept. 30 deadline for compliance with Visa's Cardholder Information Security Program (CISP), while also working to meet requirements of a separate MasterCard infosec program.

CISP, launched four years ago, defines steps – including firewall and encryption requirements – merchants and service providers must take to ensure security of Visa cardholder data. Merchants that process more than six million Visa transactions annually faced the Sept. 30 compliance deadline while smaller merchants must comply by next March. Any that fail to comply face an initial fine of $50,000.

A lot of retailers were under the gun to comply with the CISP requirements, some of which are viewed as draconian, said Michael Rasmussen, Forrester Research analyst: "They require 30-day patching and a lot of things organizations aren't prepared to do."

Not only are CISP's security requirements daunting for merchants, but those which do business online also are dealing with MasterCard's Site Data Protection (SDP) program's 88 requirements, of which about 47 resemble CISP requirements, noted Pat Gilmore, a director at security consultancy InfoSecurityOne and vice-president of (ISC)2. MasterCard will begin assessing fines on large online merchants in January if they are not SDP compliant.

While Visa and MasterCard agreed to support only one network scanning program, they could agree to an overall consolidated program, said Gilmore, who is helping companies with compliance.

"Who's next? American Express and DiscoverCard? Why don't they just all get together and establish one program that all will be satisfied with?" she asked.

Visa did not respond to our requests for comment. A MasterCard spokesperson said that the company is working with Visa to find similarities between CISP and MasterCard SecureCode, an online authentication solution, and "align where appropriate."

Share this article:

Sign up to our newsletters

More in News

DDoS attacks remain up, stronger in Q2, report says

DDoS attacks remain up, stronger in Q2, report ...

Prolexic's second quarter DDoS report noted the proliferation of shorter attacks that ate up more bandwidth.

Superman soars above fellow superheroes as most toxic search term

A McAfee study found that searches pertaining to Superman exposed users to the most infected websites.

Black Hat talk on Tor weaknesses canceled

Black Hat organizers say legal counsel for the Software Engineering Institute and Carnegie Mellon University nixed the session.