After the recent security breach at Card Systems, an Atlanta based payments processing service provider for Visa and Mastercard, there is a renewed focus on data security. 40 million cardholders’ details were exposed - thereby renewing concerns about security and privacy programs of payments intermediaries like Visa, Mastercard and Amex. Although all three have their own separate standards for information security, the question is whether the policies are actually enforced or whether there are gaps.

In the Card Systems instance, Visa executives, in an attempt to deflect criticism, said that Card Systems was storing customer data after they had processed the transactions - a clear violation of Visa’s CISP (see below for more information on CISP).

We can expect that Visa (and the others -MC and Amex) are going to crack down on third party providers - by insisting on compliance statements, and independent security audits at the minimum.

Watch this space for more details….

Visa Cardholder Information Security Program (CISP) “defines a standard for securing Visa cardholder data, wherever it is located. CISP compliance is required of all entities that store, process, or transmit Visa cardholder data.”

http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html

Despite the emphasis on secure transactions, the threat of identity theft of personal and sensitive information has escalated. To protect its customers and set precedence for data security, Visa established the Cardholder Information Security Program (CISP), which supports the Payment Card Industry (PCI) Data Security Standard outlining 12 security requirements for all members, merchants, and vendors who process, transmit, or store Visa cardholder data.

The question is and always was: Are Security Policies by themselves effective? Or do they need to be enforceable?

Do post your comments.

Rion