Merchants scrambled this summer to meet a Sept. 30 deadline for compliance with Visa's Cardholder Information Security Program (CISP), while also working to meet requirements of a separate MasterCard infosec program.
CISP, launched four years ago, defines steps – including firewall and encryption requirements – merchants and service providers must take to ensure security of Visa cardholder data. Merchants that process more than six million Visa transactions annually faced the Sept. 30 compliance deadline while smaller merchants must comply by next March. Any that fail to comply face an initial fine of $50,000.
A lot of retailers were under the gun to comply with the CISP requirements, some of which are viewed as draconian, said Michael Rasmussen, Forrester Research analyst: "They require 30-day patching and a lot of things organizations aren't prepared to do."
Not only are CISP's security requirements daunting for merchants, but those which do business online also are dealing with MasterCard's Site Data Protection (SDP) program's 88 requirements, of which about 47 resemble CISP requirements, noted Pat Gilmore, a director at security consultancy InfoSecurityOne and vice-president of (ISC)2. MasterCard will begin assessing fines on large online merchants in January if they are not SDP compliant.
While Visa and MasterCard agreed to support only one network scanning program, they could agree to an overall consolidated program, said Gilmore, who is helping companies with compliance.
"Who's next? American Express and DiscoverCard? Why don't they just all get together and establish one program that all will be satisfied with?" she asked.
Visa did not respond to our requests for comment. A MasterCard spokesperson said that the company is working with Visa to find similarities between CISP and MasterCard SecureCode, an online authentication solution, and "align where appropriate."