Visa takes carrot-and-stick approach to security
Offers $20 million in incentives and creates sanctions to spur adoption of security rules for credit card transactions.
The goal of the incentives is to encourage merchants to stop storing credit card data, the credit card association said Tuesday. Earlier this year, Visa warned that the software that retailers use in card transactions may inadvertently store sensitive customer information, including PIN codes. Fraudsters can use this type of data to create duplicate cards.
"Visa is providing positive and negative incentives to merchant banks and card-accepting merchants to ensure that they are properly protecting card holder data," said Eduardo Perez, vice president of payment system risk at Visa.
Though credit card companies instituted common security rules for card-accepting businesses two years ago, only about one-third of the biggest merchants are compliant, Visa said in a statement. Smaller businesses are even further behind, the company added.
However, Visa said that most merchants are working toward meeting the security rules, called the Payment Card Industry Data Security Standard. The PCI security standard was developed by MasterCard and Visa. It aims to reduce the risk of an attack by mandating the proper use of firewalls, message encryption, computer access controls and antivirus software. It also requires frequent security audits and network monitoring, and forbids the use of default passwords.
Today, banks that deal with merchants face fines if those merchants don't comply with the credit card security rules. Critics, however, have said that enforcement is lax.
Sanctions and incentives
As part of the new initiative, Visa is creating sanctions for merchants that don't comply with the rules. In 2006, the credit card giant levied $4.6 million in fines, up from a 2005 total of $3.4 million, it said. The fines hit the banks, which may pass them on to noncompliant merchants, Perez said.
As for incentives, these are available to transaction service providers that deal with the largest 1,200 merchants. These sellers, combined, account for about two-thirds of Visa's U.S. transaction volume, the company said. The money is being offered to businesses that validate their PCI compliance by August 31, 2007, and that have not been involved in a data compromise.
In addition, Visa will give better rates to service providers that have certified compliance, another incentive for those that work with the larger merchants.
Rival credit card association MasterCard has its own programs to push credit card security, as do other credit card companies.