Visa issues 10 'commandments' for online merchants

By Maria Trombly
Computerworld, 08/11/00

In an attempt to reduce online credit-card fraud, Visa U.S.A. in San Francisco announced 10 "commandments" for online merchants to guard its cardholders' information. And, next week, Visa will follow up by releasing the details of a broad online security program.

John Shaughnessy, Visa's senior vice president for risk management, said merchants would be required to obey these rules or face fines, sales restrictions or loss of membership.

The rules won't go into effect immediately but will be phased in over the course of a year, starting in the fourth quarter, Visa spokeswoman Angie Grothoff said.

The first sector that will have to comply are gateways and Internet service providers. Visa partners would be expected to be compliant in the first quarter of next year; major Internet "pure plays" in the second quarter, third parties in the third quarter and other merchants in the fourth quarter.

Among the new requirements, merchants must install a firewall, keep security patches up-to-date, encrypt stored and transmitted data, use and regularly update antivirus software and restrict employee access to sensitive data to a need-to-know basis.

Merchants must also assign unique IDs to everyone with access to data, track access by ID, avoid using default settings for passwords and regularly test security systems.

Brian Buckley, Visa's vice president for product risk and analysis, said these security initiatives are expected to reduce Internet transaction disputes by up to 50%.

According to a recent survey by Stamford, Conn.-based Gartner Group Inc., credit-card fraud is 12 times higher for online merchants than their offline counterparts.

About 1.1% of online credit-card transactions involve stolen card numbers, said Gartner analyst Ken Kerr. Online merchants have to bear the cost of the scam, while the credit-card companies usually take care of the bill for fraudulent face-to-face transactions, he added.