New Security Focus at Visa (Not the Web)

Visa U.S.A. is shifting the focus of its fight against fraud away from the Internet to merchants with actual stores.

The card association imposed several changes to its Payment Card Industry Data Security Standards last week, and in the near future it plans to require additional steps to curb the theft of customer data stored by merchants.

The policy change is a recognition that the Internet, long viewed as a card fraud magnet, has become safer, and that many criminals have taken to creating counterfeit cards using data stolen from cards' magnetic stripes, which can be obtained in bulk from stores where the actual cards are used.

Fake cards can be used at automated teller machines to withdraw cash or to make purchases at stores, and are more useful to criminals than card account numbers. In February magnetic stripe, or track, data on at least 600,000 accounts was stolen, and phony cards created from the stolen data were used in at least three foreign countries.

"It's clear that the fraudsters are after track data, and an e-commerce merchant won't necessarily have track data," said Martin Elliott, Visa's vice president of emerging risk.

The new rules reflect that "the e-commerce merchants have been working hard over several years to secure their environment" and "have been doing a fairly good job of shoring up their defenses," Mr. Elliott said. The rules are not a response to any single incident.

Christopher Thom, MasterCard Inc.'s chief risk officer, agreed that both online and brick-and-mortar merchants need protection against fraud. Though he said there are "higher incidents of fraud in electronic commerce" than "in the physical world over all," he also said MasterCard has to "find solutions that address account data compromise that will affect all delivery channels."

"We don't now make any distinction between online merchants and physical merchants," Mr. Thom said, because hacking or data theft "can occur at any type of entity."

On July 18, Visa began paying more attention to merchants' transaction volume, instead of where the transactions originate.

Visa divides its merchants into four categories. Level 1, merchants that accept more than 6 million transactions a year, must undergo annual on-site security audits and quarterly scans to ensure they comply with Visa's rules. Level 4 is for the smallest merchants, those that accept fewer than 20,000 online transactions a year or up to a million transactions a year at a walk-in store. These merchants may have to perform self-assessments, on a case-by-case basis.

The middle two levels were once reserved entirely for online transactions. Now Level 2 covers merchants with transaction volume of 1 million to 6 million a year "regardless of acceptance channel." Level 3 is still solely for online transactions but now covers a range of 20,000 to 1 million transactions. In both categories merchants must perform annual self-assessments and quarterly scans.

Visa also plans to require merchants to use payment processing software from a list of applications that do not automatically store magnetic stripe data without the merchants' knowledge, Mr. Elliott said. The stripes hold names, card numbers, expiration dates, and other data.

The February incident has been linked to software that was storing this data, in violation of rules set by the card associations in January 2005.

Mr. Elliott could not say when merchants will have to use software from the approved list. Visa is notifying software vendors of the impending change.

The card companies consider all Internet purchases to be card-not-present transactions. They typically scrutinize these transactions more carefully than when the card is presented to the merchant.

At stores and ATMs, having customers or clerks swipe their cards through a reader instantly eliminates one of the merchant's most basic concerns: whether the customer actually has the card. This is why the track data is so valuable to criminals, Mr. Elliott said. "Issuers, when they receive it, believe the cardholder is present."

Brian Riley, a senior analyst in the bank cards practice at TowerGroup, a unit of MasterCard International, said it is not uncommon for merchants to mishandle card data. "That's really where the failures have gone through - in the casual attitudes" toward the data security standards, he said.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER