Visa U.S.A. has given merchants until May 1 to comply with security guidelines it published last year. The guidelines include policies and practicesmerchants should take, from configuring firewalls properly to maintaining stringent control of customer data.
Visa faces a dilemma, however. If it enforces the guidelines with fines, as it said it might do, it risks losing business to other card companies that haven't delivered such an ultimatum. MasterCard International has published its own guidelines for e-commerce security but doesn't force merchants to comply, according to a company spokeswoman.
But with the theft of credit-card information last year from online retailers such as CD Universe and Egghead.com, Visa decided it needed to get tougher with some merchants. Some 83% of the 132 merchants surveyed by software supplier CyberSource and Mindwave Research last year said fraud is a problem, up from 75 % the previous year.
Visa has been working to get compliance kits into the hands of participating merchants through Visa-issuing financial institutions, said John Shaughnessy, senior vice president of risk management at Visa U.S.A. About 50 merchants have agreed to comply with Visa's requirement.
Visa had been considering its ultimatum for some time, observers said. "Visa is bringing the industry up-to-date with the current state of technology," said Nick Baxter, senior vice president at First National Bank of Omaha's merchant-acquiring service.
Although many of the bank's larger clients already comply with the Visa rules, the smaller ones may have more of a challenge implementing security, he noted. Reluctant participants might be struggling dot-coms that lack the capital to maintain adequate security.
But even for established companies, security needs to be an ongoing process, Baxter said. A company may be in compliance on Monday, but by Wednesday a security hole can be created by a misconfigured firewall or failure to apply a security patch.
What if merchants don't comply? Shaughnessy acknowledged it's a tough balancing act. "We're more interested in facilitating trust on the Internet
rather than scaring merchants."