In 2001, Visa USA began instituting its Cardholder Information Security Program (CISP) in an effort to protect Visa cardholder data, wherever it resides, "ensuring that members, merchants, and service providers maintain the highest information security standard." To comply with CISP, Visa created a set of requirements that retailers, card processors, and POS vendors have to meet in order to properly secure the data embedded on each customer's Visa Card.
Though Visa's CISP was first implemented just over four years ago, the program's very existence may come as a surprise to many booksellers, or, if the name rings a bell, the details of the program may be hazy and unclear.
Booksellers are not alone: According to a survey conducted in spring 2005 by Protegrity Corporation, a Data Security Management company based in Stamford, Connecticut, almost 54 percent of "IT professionals surveyed believe their companies are still not entirely clear about the current data security requirements" in order to comply with CISP.
This is changing, however, as retailers, banks, POS vendors, and card processors have begun responding to CISP compliancy validation due dates, some of which have now passed or loom on the horizon (more on that later).
Also helping to bring the issue to the fore are recent news headlines about data security breaches. For instance, in mid-July, Visa USA barred a payment processor, CardSystems Solutions, from handling Visa transactions because the processor "left the records of millions of cardholders at risk for fraud." This is the first time that Visa had ever fired a card processor, according to Avivah Litan, a security analyst at Gartner Group, Inc, a technology research group, as reported by the New York Times. There were also reports of alleged security breaches at Polo Ralph Lauren retail stores caused by the storage of credit card information on POS Software, The Green Sheet reported. And Protegrity's survey noted that 87 percent of respondents "believed that internal misuse of sensitive data was the biggest threat to their companies, based on current security solutions in place."
Understandably, CISP has charged to the top of many a corporation's priority list.
What does all this mean for independent booksellers?
To help answer this question, Bookselling This Week has put together the following simplified CISP guide.
A 12-Step Requirement Program
It's important to note that CISP has different merchant levels with different validation requirements for each level. Merchant levels are based on Visa transactions and how many of those transactions a store processes per year, both via electronic commerce and in-store.
On the Visa website, the company warns merchants that "although there may not be a direct contractual relationship between merchant service providers (the companies that store, process, or transmit cardholder data on behalf of the merchant) and acquiring members (the bank), all members remain responsible for any liability that may occur as a result of CISP non-compliance." More importantly, the merchant bank has to include a "CISP compliance provision" in all contracts with retailers, as well as "nonmember agents," Visa USA's website noted. In other words, the acquirer, or bank, that contracts with merchants to enable the retailer to accept Visa must ensure that the contract includes CISP compliance. They also must ensure that any contracts with merchant service providers include CISP compliance as well.
Penalties for noncompliance include fines, restrictions on the merchant or the retailer's agent, or permanently prohibiting the merchant or its agent from participating in Visa programs. Moreover, if a Visa member fails to "immediately notify Visa USA Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident."
According to Visa, the fine for non-compliance is typically determined through a forensic investigation in the event of compromise. (There are different fines for non-compliance. The fine of $100,000 is for failure to report a breach, but if an entity fails to comply with the PCI Data Security Standard, their merchant bank could face fines for non-compliance.) A merchant who does not meet all of the requirements outlined in the PCI Data Security Standard or fails to go through the required validation could also be deemed non-compliant.
To achieve compliance with CISP, merchants and service providers must adhere to the "Payment Card Industry (PCI) Data Security Standard," "which offers a single approach to safeguarding sensitive data for all card brands."
Furthermore, as noted on the Visa website, other card companies operating in the U.S. have endorsed the PCI Data Security Standard "within their respective programs." In other words, one security standard fits all: If a retailer meets Visa's security standards, the retailer meets the security standards of all cards.
Keep in mind that CISP applies to all payment channels, including bricks-and-mortar retail, mail/telephone order, and e-commerce.
The PCI Data Security Standard consists of the following 12 requirements.
- Install and maintain a firewall configuration to protect data. While for many home users, this might mean installing security software such as the packages offered by McAfee or Norton, for businesses it means having hardware to protect your network by keeping hackers out. If you do not have a firewall, one can be purchased at any computer store. If you use a router, there's a good chance the router already has a firewall built in.
- Do not use vendor-supplied defaults for system passwords and other security parameters. Whether it's the default passwords in your POS software or in your firewall, booksellers need to change the passwords of any software or hardware that helps store or transmit credit card data. The bottom line here is, a retailer can't just implement applications out of the box. Most applications do not come with secure features turned on by default. Change the defaults.
- Protect stored data. Once again, a bookseller must make sure that credit card data cannot be accessed by unauthorized staff. Retailers should limit the amount of data that is retained to data that is absolutely necessary for their business. If data (particularly account numbers) is stored unnecessarily, eliminate this data. What is needed should be stored in an encrypted format.
- Encrypt transmission of cardholder data and sensitive information across public networks. A bookseller should make sure their POS system vendor is compliant with CISP encryption standards. Cardholder data should not be transmitted over the Internet unencrypted.
- Use and regularly update anti-virus software. There are many good anti-virus solutions available, and, whether you are a home user or a business with access to the Internet, there's no excuse for not having virus software. McAfee and Norton offer reputable anti-virus software, for example, or a bookseller can simply seek advice from their local computer store -- just don't go online without it.
- Develop and maintain secure systems and applications. The bookseller is responsible for ensuring that they keep their system security patches up to date and securely develop any web applications. You can find more detail within the PCI DSS. If you use Windows, simply go to the Microsoft website.
- Restrict access to data by business need-to-know. There must be strong access-control measures to be compliant with CISP. A bookstore can have many employees and not everyone needs to have access to the POS software. Anyone with the authority to take a credit card or with access to the store transaction database must have a unique password and identifier so that all access to data can by traced to a specific user and so that an unauthorized user can't access credit card data stored on the system.
- Assign a unique ID to each person with computer access. If unclear on how to create a unique ID for each staff member, booksellers can check with their respective POS vendor. And make sure that staff log out when they are not at the computer.
- Restrict physical access to cardholder data. Once again, a bookseller must restrict access to data by "need-to-know." Receipts with full printed account numbers should be stored securely.
- Track and monitor all access to network resources and cardholder data. Simply put, the storeowner or manager must be able to track users of the system through access to audit logs. For example, some operating Systems, such as Windows XP, have the ability to log the activity of system users. Since each user will have a unique ID (see number 8), systems should be able to log user access based on those unique IDs.
- Regularly test security systems and processes. One very basic way to test your security system is to attempt to "hack" it. Provide a bad log in name or incorrect password and see if the system lets you in. For more advanced tests, Visa recommends that booksellers ask their security vendors (these are companies, e.g. Verisign, ISS, Security Metrics, that offer security assessment services, such as scanning. Visa has a list of qualified assessors on its website that are experienced in working with merchants to ensure compliance) to provide additional testing, such as system scans of Internet-facing systems (any systems that someone on the Internet can access directly, such as a web server). This can also include testing a process to escalate a suspected security breach through the chain of command. Any hard copy data should be protected through physical security controls and company policies regarding access controls (see requirements 7 and 12).
- Maintain a policy that addresses information security. In other words, booksellers must create a security policy (using the previous requirements as the guideline), educate staff on this policy, and make sure it is maintained.
Find Your Merchant Level
So now that the bookseller has implemented the 12 requirements and is compliant, how does the bookseller confirm this status? Through what Visa terms "validation action." Different merchants have to follow different "validation action" requirements. As such, booksellers need to know their "Merchant level," as defined by Visa USA.
The CISP program places all merchants into one of four "merchant levels," based mainly on the number of Visa transactions processed annually. Most independent booksellers will fall into Level 4, but any retailer that has had patrons' credit card data compromised or had their system hacked is automatically placed into Level 1, regardless of the number of Visa transactions per year.
Here are the four levels, which merchants they apply to and what that means, along with their validation due dates:
Level 1. This level refers to any merchant processing over 6 million Visa transactions per year (this includes all face-to-face and online transactions cumulatively); any merchant that has suffered a hack or an attack that resulted in an account data compromise; any merchant that Visa determines should meet the Level 1 merchant requirements to minimize the risk to the Visa system; or any merchant identified by any other payment card brand as "Level 1."
- The "Validation Action" due date for Level 1 merchants was September 30, 2004.
- Unless a bookseller's system has been compromised in the past, it is unlikely any independent bookseller would be considered "Level 1." In order to be compliant as a Level 1 Merchant, the retailer must run an annual on-site security audit that is validated by an independent security assessor or an internal audit that is signed by the officer of the company and must conduct a quarterly network scan that is validated by a qualified independent scan vendor. The audit is conducted to ensure that the retailer has met the PCI Data Security Standard.
Level 2. This level refers to any merchant processing 150,000 to 6 million Visa e-commerce transactions per year. The "Validation Action" due date for Level 2 merchants was June 30, 2005.
- Validation Action: Level 2 merchants are required to conduct quarterly network scans -- an automated tool that checks systems for vulnerabilities. To be considered compliant with the network scanning requirement, merchants and service providers must scan their websites or IT infrastructures with externally facing IP addresses. Moreover, all scans must be conducted by a third party compliant network security-scanning vendor, selected from a list of approved vendors. Finally, acquirers, merchants, and service providers will need to follow each payment card company's respective compliance reporting requirements to ensure each payment card company acknowledges an entity's compliance status.
- Level 2 merchants must also complete an Annual Self-Assessment Questionnaire.
Level 3. This level refers to any merchant that processes 20,000 to 150,000 Visa e-commerce transactions per year. The "Validation Action" due date for Level 3 merchants was also June 30, 2005.
- Compliancy requirements are the same as for Level 2 merchants (see above).
Level 4. This level refers to any merchant that processes fewer than 20,000 Visa e-commerce transactions per year, and all other merchants processing up to 6 million Visa transactions per year. The "Validation Action" due date for Level 4 merchants has not yet been determined.
- Level 4 merchants still must comply with CISP, but compliance validation action for merchants in this category will be determined at the acquirer's discretion, meaning their bank will notify the merchant if validation is required. Visa USA, however, strongly encourages Level 4 merchants to complete an annual Self-Assessment Questionnaire and to conduct annual network security scans (using a third party compliant network security scanning vendor, see Level 2 description) if you have Internet-facing systems. Any questions regarding compliance validation should be directed to the bookseller's acquiring bank or AskVisaUSA@Visa.com.
- While retailers that fall into category 4 are not required to pay for a yearly audit, Visa told BTW that "if merchants retain Visa account numbers on any systems (e.g. PC-based POS terminals, store controllers, back-office systems, etc.), they should look into this further to ensure they are not at risk. For merchants with a stand-alone POS system whose only method of data retention is receipts, they should review the questionnaire as part of their own due diligence and consider those questions that seem to be applicable to them."
Booksellers should be in contact with their POS vendor and/or credit card processor to ensure that each component of the credit card transmission process is secure and that everyone involved in card data transmission or storage is meeting CISP's requirements. Visa suggests that booksellers confirm that their payment application does not retain any prohibited cardholder data, such as full track data (the data captured from the magnetic stripe reader). Only account number, expiration data, and name may be retained from the card read. (In addition, all booksellers should be sure that receipts only print the last four digits of a customer's credit card number, as opposed to printing the entire number on the receipt.)
Also, in terms of making sure their POS system is compliant, booksellers can refer to a list of validated payment applications at www.visa.com/cisp.