by CIO Staff

Visa and MasterCard Offer Security Test Kits

Oct 25, 20053 mins
IT Strategy

Visa and MasterCard have launched free, self-assessment tools for merchants and providers to test and validate the security of their e-commerce connections. In an effort to combat credit card fraud, both Visa and MasterCard have developed a set of standards for transaction security (called the Payment Card Industry Data Security Standard), a checklist for ensuring systems are up to scratch, and access to a free security assessment tool provided by ScanAlert.

Visa head of third-party assurance, Edward Lodens, said Visa has 62 percent market share in the Asia-Pacific region (including Hong Kong and Japan) which is why the company needs to take a leadership role in developing standards, rolling out programs and ensuring merchants and third-party providers can secure transactional data.

Lodens said the global program to protect cardholder information began in 2001 and since then they have tried to push the information down to the merchant level.

“It is essentially three things – a set of standards called Payment Card Industry Data Security Standard (PCIDSS), a foundation framework to validate those standards and tools to validate compliance,” Lodens said.

“The Account Information Security (AIS) standard was developed by Visa in 2001 and the MasterCard data protection standards were developed in 2003 and we have joined those standards.

“Prior to this, MasterCard standards were focused on business with Internet connectivity and the Visa standards covered Internet trading as well as face to face trading.

“The PCIDSS follows the introduction of AIS numbers by Visa a few years ago, which was a standard that had to be met by July this year; MasterCard had a standard deadline of October and merchants said ’why not come together and develop the one standard’.

“The silver bullet [that will cut down credit card fraud] is the prohibition of storing magnetic stripe authentication data because if there is nothing to steal, nothing can be stolen – that is the key message.”

The AIS standard is broken down into three parts. To meet the standards, merchants with a low volume of transactions (less than A$10,000 (US$7,489) a month) are required to complete a self assessment questionnaire answering 75 security and process-related questions. For medium volumes of transaction (A$10,000 and A$15,000 a month) it requires the self assessment questionnaire as well as quarterly vulnerability scans (using ScanAlert) and for high volume traders (more than A$50,000 transactions a month) completion of the self assessment questionnaire, quarterly vulnerability scans as well as an onsite review of practices.

By Michael Crawford, Computerworld Today