The deadline is also for full compliance with 12 key elements of the PCI Data Security Standard, but those have already been required, although compliance has been spotty. The verification audits are the new element for June 30, along with a series of potential finesas much as $500,000for those that don't comply.
Even Visa officials are not saying that full compliance with the June 30 deadline will have a material impact on reducing computer fraud, but that it's a start.
"It's going to be an ongoing process. We're raising the security bar. I'm sure PCI will evolve over the next months, certainly years," said John Shaughnessy, senior vice president of fraud management for Visa USA. "I don't think there's a single silver bullet anywhere on Earth. I don't think we've ever represented this as the be all and end all" for absolute security.
The PCI Data Security Standard is little more than a common-sense list of good security procedures and includes a firewall requirement and instructs retailers to "not use vendor-supplied defaults for system passwords" and "assign a unique ID to each person with computer access."
One major area of concern is retailers who store too much information, often to make transactions easier for themselves and for customers. Storing the non-raised three-digit cardholder verification number, for example, defeats the whole purpose of having such a number.
The security improvement effortbacked by Visa, MasterCard, Citigroup's Diner's Club, American Express and Morgan Stanley's Discoverhas been pursued for four years with little success.
Visa is threatening retailers who miss this latest deadline with fines and "permanently" throwing the retailer off the credit card company's network, according to a Web site Visa created for retailers.
If a Visa retailer, for example, doesn't alert Visa to a loss of cardholder or any other security problem, the retailer faces a penalty of $100,000 per incident. Fines can also be issued "if a member knows or suspects a security breach with a merchant or service provider" and doesn't "take immediate action to investigate the incident and limit the exposure of cardholder data," according to the Web site.
Next Page: Impetus for crackdown.
This article was originally published on 04-26-2005