Visa U.S.A. works with e-merchants to "deadbolt" their front doors

[March 5th 2001]

In a move to bolster the security of online commerce, Visa U.S.A. has announced that it is offering its e-Merchants assistance in safeguarding their customers' payment card data. Visa's efforts are designed to help e-Merchants meet a May 2001 deadline for compliance with 12 security guidelines. Visa developed these guidelines last fall to protect cardholder data from hackers.

Each of the 12 guidelines, which contain comprehensive specifications, is part of Visa's Cardholder Information Security Program (CISP). The CISP guidelines include required activities such as installing firewalls, keeping security systems up-to-date, encrypting stored data and using anti-virus software (see complete list below).

Visa has a long history of working with merchants, banks, law enforcement agencies and regulatory agencies to develop innovative risk management tools to secure new payment channels. This ongoing collaboration has resulted in security enhancements that include magnetic stripe technology, address verification, and neural network technology, which monitors usage and can actually detect fraud as it is occurring. Also, Visa's Zero Liability Program ensures that cardholders are fully protected against any monetary losses due to fraudulent use of their payment cards.

These Visa security measures have helped merchants reduce fraud and build consumer confidence in various payment channels. Overall credit card fraud in the late 1980s was about 20 cents per $100 in transaction volume. By 2000, overall fraud had dropped to about 7 cents per $100.

The Visa Secure Commerce Program addresses the four most critical elements in securing the online payments chain: cardholder identification and authentication, data security, fraud control, and protecting and streamlining the payment system. The guidelines are as follows:

1. Install and maintain a working network firewall to protect credit card data accessible via the Internet.

2. Keep security patches up to date.

3. Encrypt stored data.

4. Encrypt data sent across networks using Secure Socket Layer (SSL) or other techniques.

5. Use and regularly update anti-virus software.

6. Restrict access to data by business "need to know."

7. Assign a unique ID to each person with computer access to data.

8. Do not use vendor-supplied defaults for system passwords and other security parameters.

9. Track access to data by unique ID.

10. Test security systems and processes daily.

11. Maintain a policy that addresses information security for employees and contractors. Industry experts routinely note that 70 percent of fraud can be traced to internal compromise.

12. Restrict physical access to cardholder information. Give an individual or team specific responsibility for managing information security.

Links
Visa U.S.A.		http://www.visa.com