Visa Sets Net Security Measures

[William Knowles <wk () C4I ORG>]

http://www.wired.com/news/business/0,1367,38136,00.html

Reuters
12:10 p.m. Aug. 9, 2000 PDT

BETHESDA, Maryland -- Visa, the world's biggest payment card network,
said Wednesday it was setting 10 new security rules for transactions
done over the Internet by its more than 21,000 member financial
institutions and their merchant partners.

Visa tied the moves to combating online fraud -- running at more than
three times the rate of card fraud overall -- as well as to boosting
consumer confidence in electronic commerce. It said it was also eager
to head off possible new government regulatory action by policing
itself.

John Shaughnessy, senior vice president for risk management for VISA
USA, said the new requirements -- including a network "firewall" to
protect data accessible from the Internet -- will be phased in
worldwide over the next year after they are spelled out in detail in a
"few weeks."

Visa will work with members to monitor compliance and use outside
experts to test firewalls, starting at Internet service providers and
similar "gateway" portals that provide card payment services for
commercial Web pages they host, he told a Bethesda conference on
business solutions to cybercrime.

The rules are meant to be respected ultimately by all merchants
accepting Visa cards, the world's most widely accepted form of
"plastic" payment, Shaughnessy said.

"If you're a merchant, this is stuff you want to do," he said. "It's
just good business. It's as simple as that."

Enforcement could involve fines, restricting the dollar amount of
sales that individual merchants could process through the network, or
terminating their Visa membership.

The new requirements include keeping security systems up to date,
encrypting stored data accessible from the Internet, encrypting data
sent across networks, and using and regularly updating anti-virus
software.

Also, those accepting Visa payments must not use vendor-supplied
defaults for system passwords and other security passwords. They must
assign unique IDs to each person with computer access to data; track
access to data, including "read only" material, by unique ID;
regularly test security systems and processes; and immediately
investigate and report to Visa any suspected loss of cardholder data.

VISA USA announced on February that its overall fraud loss had dropped
to an all-time low of six cents per $100 in transactions, down from
seven cents in 1998 and 18 cents in 1992.

But fraud in "card-not-present" transactions -- such as telephone and
mail-order sales -- totaled about 15 to 20 cents per $100 in 1999 and
the Internet-related part of that is typically higher, Shaughnessy
said. He said the biggest source of such fraud was stolen account
numbers.

"We feel like we can take a leadership role" in managing such fraud,
making it unnecessary for the government to get involved, he said. "We
want to do it this way."

In 1998 about $1.4 trillion in products and services were purchased
using the 600 million Visa cards accepted at more than 17 million
places worldwide, according to Visa.

Of the total VISA USA card volume of $724 billion in 1999, about 2
percent involved online purchases. VISA projects this will quintuple
to 10 percent by 2003, according to Angela Grothoff, a spokeswoman in
New York.

With more merchants doing business online than any other card company,
"Visa is in a position to really impact the security of online
commerce" with its new rules, she said.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".