A Compass to Navigate the Compliance Waters
he issue of security, specifically security of consumer payment card data, is making headlines nationwide. In light of recent breaches, now more than ever merchants must be able to assure their customers that they are capable of securely storing and transmitting cardholder data.
Even though liability limits somewhat protect consumers, it only takes one stolen credit card number or one successful hack to instill panic in a merchant's customers. That's why ISOs/merchant level salespeople (MLSs) have the opportunity, and some might argue the obligation, to do their part to help safeguard consumer payment data.
Let's step back a bit. A lot of discussion about compliance and validation is taking place, and there is an alphabet soup of acronyms. What exactly are people in the industry talking about?
In a nutshell, Visa U.S.A. and MasterCard International both created programs designed to protect cardholder information. Visa's version is the Cardholder Information Security Program, or CISP. MasterCard's version is the Site Data Protection, or SDP.
Late last year, the Associations aligned the two programs into the Payment Card Industry Data Security Standard, now commonly referred to as PCI. The goal of PCI is to unify industry security requirements for storing, processing and transmitting cardholder data.
The standards for compliance and the deadlines vary depending on the number of transactions merchants process. The program segments merchants into the following four levels:
Level 1: Merchants processing more than 6 million card transactions annually or who have suffered a hack or had account data compromised. These merchants should have validated their compliance by Sept. 30, 2004.
Level 2: E-commerce merchants processing 150,000 to 6 million card transactions annually. These merchants should have validated their compliance by June 30, 2005.
Level 3: E-commerce merchants processing 20,000 to 150,000 card transactions annually. These merchants also should have validated their compliance by June 30, 2005.
Level 4: All other merchants. Compliance is mandatory; however, proof of validation is optional.
Many readers of The Green Sheet provide service to retailers who do not conduct e-commerce transactions or have low annual transaction volumes. These retailers fall into PCI's Level-4 category. Even though Level-4 merchants are not required to validate their compliance, they are required to be compliant with PCI.
However, these merchants either aren't aware of their security risks, or they don't know how to get help. In many ways, these are the merchants that need protection the most.
One company, AmbironTrustWave, can help ISOs/MLSs meet the needs of such merchants. AmbironTrustWave is qualified to validate compliance for merchants and service providers.
The company provides information security and compliance management solutions to all kinds of businesses. It helps banks, merchants, service providers and software developers mitigate risk by validating compliance with industry best practices, including PCI, CISP and SDP.
AmbironTrustWave is the result of a merger in March 2005 of Ambiron LLC and TrustWave Corp. According to Robert J. McCullen, Chief Executive Officer of AmbironTrustWave, the companies came together to create a blend of consultative and government experience. The executive management team has experience in the National Security Agency, Secret Service and Department of Justice.
The company also has commercial industry experience through work for VeriSign Inc., Internet Security Systems Inc., Andersen Consulting (now known as Accenture) and Sun Microsystems Inc.
"Compliance and security are our core businesses; we are also very experienced within the payments industry," McCullen said. "This combination is unmatched in the industry."
The company has based its solutions largely on proprietary technology developed by in-house staff. "We have performed more compliance assessments than any other assessor," he said.
AmbironTrustWave employs 75 people in its 11 offices in the United States, including its corporate headquarters in Chicago. The company also has offices in London and Sydney. Together these locations serve more than 30,000 customers worldwide.
A Shared Responsibility
Safeguarding consumer data is important to every participant in the payment processing industry, including merchants, processors, acquirers, issuers and the card Associations. With that stake comes responsibility. "We are starting to see a responsibility shift," he said. "It becomes a shared component."
Securing the supply chain requires merchants to use tools that are compliant and work within a secure infrastructure. "At the end of the day, it is the underwriting entity that is on the hook, the acquirers or ISOs, the merchant acquiring sales force. It is really incumbent on that entity to be compliant," he said.
That message is not lost on service providers. For example, recently Authorize.Net Corp. partnered with AmbironTrustWave to offer PCI compliance services to Authorize.Net's merchants.
AmbironTrustWave also formed a similar agreement with Vital Processing Services' value-added developers. Vital now requires all developers to comply with PCI in order to process payment transactions through its network.
AmbironTrustWave understands that education of all levels of merchants is fundamental in order to secure cardholder data. "Right now it seems it's been an Association message that has gone to large merchants, and that's where the focus has been," McCullen said.
In fact, many merchants don't understand the complexity or what it takes to become compliant. The company reports that it regularly receives calls from merchants who believe it takes only one day and one call to become compliant. They don't understand that compliance is not only about how or where data are stored, but also the policies, procedures and technologies in place.
That's one of the reasons why AmbironTrustWave devotes much of its efforts to education and makes instruction and communication priorities. "We think it is important to educate as well as offer services," McCullen said.
The company sponsors events and provides information about security issues such as DSL lines, wireless communications and payments over non-traditional methods.
How ISOs/MLSs Fit
Any entity that acquires merchants can offer AmbironTrustWave's compliance services to clients. This includes ISOs/MLSs. AmbironTrustWave works to educate ISOs/MLSs, so that when they sell POS devices they can make sure a merchant's systems are as secure as possible. Salespeople who offer AmbironTrustWave's services help merchants grow their businesses, while also increasing their own incomes and making their portfolios more attractive.
Since many mid- and small-size merchants don't have a dedicated IT department or security staff, they rely on ISOs/MLSs to help them secure their data and comply with regulations. Even if merchants don't know how to safeguard their customers' data, they still know they need to protect that data in order to be successful.
"Merchants want to be able to tell customers, 'I have a site that is going to protect your cardholder data,'" McCullen said. Offering merchants security and compliance solutions not only helps them increase sales, it helps ISOs/MLSs earn income as well.
Since there is less fraud and risk, both the ISO/MLS and the merchant save money and time.
"ISOs are in a position to offer security as a value-add service to their clients," McCullen said. "As a result, they can differentiate themselves from their competitors."
Merchants increase sales and ISOs/MLSs earn increased profits on the increased sales, as well as revenue through a referral-based program with AmbironTrustWave. Helping merchants safeguard their consumers' information not only increases sales but also makes ISOs/MLSs more credible and trusted in the industry. A portfolio free of blemishes is more attractive to larger ISOs and acquirers. "It's going to keep your name out of [the] press and your merchants' names out of [the] press ... Down the road there will be more scrutiny on the quality of portfolios," McCullen said.
With the increased focus on compliance, regulations and card Association deadlines, it might seem like merchants have been forgotten. They have not. "We are customer-centric," McCullen said. "We find innovative means to accommodate all different types of clients: large or small, global or local, advanced networks or simple."
AmbironTrustWave uses its experience in the public and private sector, as well as its relationships with industry players such as JPMorgan Chase, Discover, First Data, NOVA Information Systems and Paymentech to give clients the best information security and compliance management possible.
"You don't want to hurt your brand," McCullen said. "It's not just about losing cardholder data, it's about losing consumer confidence."
|