Tags ArchivesVisa

A Conversation with Visa standard

Wednesday was a busy day for me at the Community meeting. In between sessions, I spent thirty minutes with Eduardo Perez, head of global payment system security, Tia Ilori, business leader, U.S. payment system risk, and Ingrid Beierly, business leader, fraud control & investigations from Visa. Visa is the largest payment brand and creator of the Cardholder Information Security Program whose content drove the majority of what we see in the PCI DSS today. We started by discussing the fraud rates and how PCI DSS is helping to keep fraud under control. According to Perez, fraud rates are very low and fairly stable—around 5%. So PCI has to be doing SOME good if fraud rates are not spiraling out of ...

Continue Reading

Last Word on the Visa TIP standard

The Visa Technology Innovation Program (TIP) is certainly stirring up all kinds of discussions in the technology community. I had an opportunity to get some clarification on exactly what these new changes from Visa mean for you, and wanted to summarize them here. Unlike the Compliance Acceleration Program (CAP) which used fines and interchange fees to motivate merchants, there is no true financial incentive to participate in the TIP… today. The closest resemblance to a financial incentive is the domestic and cross-border counterfeit liability shift. Merchants that cannot accept an EMV or contactless card when presented one by a customer will bear the liability of a fraudulent transaction instead of the issuer after October 1, 2015. The TIP mandates that ...

Continue Reading

Is Visa Taking the Training Wheels Off of Security? standard

Step into the way-back machine with me and let’s turn the dial to 2000. What a glorious time that was! We were at the peak of what would soon be known as the DotCom Bust((Although poor corporate accounting practices had a hand in this one as well.)). Information security was this fledgling group in most companies that was called to clean up virus outbreaks. Then we weathered the storm. Markets crashed, IT budgets were slashed to the bone, and security professionals suffered too. We fought hard for every single dollar that came our way, yet we still were playing catch up. Now let’s forward to December 15, 2004, when the first release of the PCI DSS made its way into ...

Continue Reading

PCI Board of Advisors, and Truncation Best Practices standard

Last week was the first PCI Board of Advisors meeting for the recently elected board set to serve through June 2013. While it was a very productive session, I will not be able to blog about much of the meeting. It’s that way by design (rightfully so). At some point, I’ll have a few additional guidelines to work within, but ultimately I signed an NDA as did my company, and I plan on honoring the terms of that NDA regardless of my thoughts about it. Just to clarify, I plan to honor the terms in the NDA that I signed, or live by the consequences if I don’t. But that’s not what this post is about. I’ve been an advocate ...

Continue Reading

Visa Allows Non-US EMV Merchants to forego PCI Assessments standard

Interesting note from Visa yesterday. They have given non-US merchants an escape hatch (Visa Europe’s version is here and differs from the Visa Inc. version in several ways) for validating PCI DSS compliance annually if they meet four specific requirements: The merchant must have validated PCI DSS compliance previously or have submitted to Visa (via their acquirer) a defined remediation plan for achieving compliance based on a gap analysis. Visa Europe provides a separate procedure: Merchant must have: previously satisfied PCI DSS compliance validation by completing milestones 1-4 of the Payment Card Industry’s Prioritised Approach for PCI DSS OR have previously completed milestone 1 of the Payment Card Industry’s Prioritised Approach for PCI DSS and conducted a PCI DSS gap analysis against milestones ...

Continue Reading

Tokenization and Chargebacks standard

The NRF released a brief yesterday discussing the clarification Visa made to the operating regulations related the storage of full card data after the transaction. As suspected, some acquirers and processors were interpreting the rule to mean that Visa required merchants to store the full card number for things like chargeback processing ((The clarification was made on the Issuer side of the transaction.)). Of course, with a phone call, acquirers quickly seemed to learn what the real intent of the rule was. I can only describe this second hand, but here’s what I know for sure. Over the last 6+ years, I have worked with many merchants to help them rid their systems of PANs. In exactly zero instances, I ...

Continue Reading

Level 2 Merchants, Are Your Folks Trained? standard

Is anyone thinking about June 30, 2011 yet?  If you are a Level 1 or Level 2 merchant, you certainly should be!  Here’s why: MasterCard had a rough time last year. They made some new rules, they changed the rules, and then they removed many of those rules.  This year, they worked out the kinks (arguably something they should have done before the first announcement) and have a revised set of requirements. Remember us talking about reciprocity last year? From the excellent post by Chris Mark on the end of the Level 4 Merchant to the retraction and strange website posts and commentary by MasterCard, reciprocity was a hotly debated issue.  As of this writing, the reciprocity on MasterCard’s website ...

Continue Reading

MasterCard/Visa Remove Reciprocity standard

Thanks to a fellow reader for pointing this out!  It appears that MasterCard and Visa (sorta) have removed the reciprocity statements from their level definitions.  Discover still has the reciprocity statement on their levels, American Express and JCB never used reciprocity for their level definitions (to my best recollection). Several industry insiders have been told that it was never the intent of MasterCard to force a merchant that accepts a single JCB card to go through an on-site assessment if they did not meet the MasterCard threshold.  Now it appears that this is the case as the official merchant level definitions reflect exactly this. Unfortunately, the road does not end there.  In fact, it starts forking like crazy. Now that ...

Continue Reading

Curious on Visa’s Deadlines? standard

Are you wondering which deadlines for PCI DSS have passed and which ones are upcoming?  Unfortunately, in most cases the deadlines you are looking for are in the past, with some exceptions.  That’s one of management’s challenges to PCI. Manager: “Tell me what the date is, and I’ll work toward the date.” You: “More than a year ago.” Manager: “I can’t manage to that. Go get an extension and tell me that date.” At this point, you pretty much should just make up a date.  Sure, an acquirer can give you a date, as can some payment brands, if you pick up the phone and call them. It does not ultimately mean anything if you are breached tomorrow. For those ...

Continue Reading

Visa Releases Data Field Encryption Guidance standard

Earlier this week Visa, Inc. released a best practice bulletin on data encryption that details five security goals ((paying homage to The Security Catalyst’s “3s and 5s” rule)), and thirteen best practices that companies can implement to meet them. The five goals as listed in the bulletin are: Limit cleartext availability of cardholder data and sensitive authentication data to the point of encryption and the point of decryption. Use robust key management solutions consistent with international and/or regional standards. Use key-lengths and cryptographic algorithms consistent with international and/or regional standards. Protect devices used to perform cryptographic operations against physical/logical compromises. Use an alternate account or transaction identifier for business processes that requires the primary account number to be utilized after ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!