Credit- and debit-card transaction-processing companies have been scrambling to meet stringent security standards laid down by American Express, Discover, MasterCard, and Visa. After the security breach disclosed last month at CardSystems Solutions Inc., which exposed more than 40 million accounts, the major card companies are being challenged to ensure that transaction processors not only get into compliance but stay there.
Cynergy constantly ensures against data compromise, CIO Ordonez says.
Compliance isn't just about passing annual audits. "It's what happens between the audits that counts," Ordonez says. "We store millions of card numbers, so we need to constantly ensure against compromising that data."
As of June 30, any entity that stores, processes, or transmits cardholder data had to comply with the Payment Card Industry Data Security standards, which require access-control measures, regular network monitoring and testing, and an information-security policy. Annual security audits and quarterly network scans also are required.
Just how many transaction-processing companies are compliant with the Payment Card Industry requirements isn't clear. Visa has published a list of about 150 compliant services providers, which it says represent most major payment processors. But Ordonez says there are hundreds of smaller processors for whom compliance costs could cause many to fold.
Companies that experience breaches and are found not to be in compliance face stiff penalties. Banks are responsible for ensuring compliance of the service providers they use and their merchant's service providers. Visa can fine banks up to $500,000 per incident for any merchant or service provider that's compromised and not compliant.
Visa and MasterCard have had security programs in place for several years, but enforcement was sometimes left to others. About two years ago, Princeton eCom Corp., which provides electronic bill-payment services for banks and other companies, was told by First Data Corp., a card payment processor, that it had to comply with Visa's program as a condition for building a link to First Data's systems. First Data was a processor for one of Princeton eCom's customers, says Jennifer Roth, product management VP at Princeton eCom.
Princeton eCom had built a link with another card processor, Paymentech LP, but Paymentech "hadn't brought it up as an issue," Roth says. Princeton eCom hired AmbironTrustWave, an information security auditing firm, to assess its program, and it received its compliance documentation late last year.
CardSystems has hired AmbironTrustWave to assess its Payment Card Industry compliance and says it plans to comply with Visa's and MasterCard's programs, both of which incorporate the group's standards, by Aug. 31. CardSystems had been verified as compliant with the Visa program in June 2004 but was later declared out of compliance when it was discovered that it was inappropriately storing cardholder data.
VeriFone Holdings Inc., a provider of payment terminals and software, began adapting its products to meet the Visa guidelines in 2003. Last year, it acquired the assets of GO Software, including its payment-processing software, and VeriFone had to devote six months of development and testing, including adding 128-bit encryption, to make those products compliant. During that work, Marco Mabante, VP of compliance and integration, says, "product development was at a standstill."