March 9, 2009
-
News: Visa Promotes Better PCI Compliance.
In the wake of such disastrous credit card breaches as have recently occurred, it's time to tighten up on laxity, says VISA. In fact, VISA is pushing this full-force. It all comes down to sharing responsibility. Credit card third-party processors can't bear the full brunt of it. As hard as they try, when all their data contains too much sensitive credit card information, the best they can do is try their best to protect it. The message here is, less is more. Instead of having to protect more sensitive data, it's more effective for security if they only have less to protect.
Much of what they have to process can be eliminated. This part comes down to the merchants who submit credit card transactions to be processed. One of the loose ends is the storing of all the information contained in the credit card's magnetic stripe (called ‘track data'). VISA contends that the merchant's don't need to store it all.
Another area comprises user passwords and card ‘CVV2' information. CVV2 codes are the three to four digits on the back of VISA credit cards, just to the right of the ‘signature strip', not stored on the magnetic stripe. This security code allows for ‘card not present' transaction where the person placing the charge doesn't have to be physically present. It's much safer for thieves and is highly prized for compromise.
Once a transaction has been authorized, Visa's current "Cardholder Information Security Program" prohibits merchants from storing full track data. Some merchant's are still using software that allows this. The only sensitive ‘track data' that VISA's program rules permit for storing are PANs (the credit card number), card ‘expiration dates' and the cardholder's name. This is already encapsulated in the PCI DSS Standard (Payment Card Industry Data Security Standard). The PCI standard has already been deemed as a requirement for merchants who accept VISA cards for payment. Merchants who don't comply are ‘downgraded' from ‘best rate' according to the severity of the infraction. This means that the merchant will be charged a higher percentage rate for the transactions they submit to the payment processors.