Out-Law / Your Daily Need-To-Know

Out-Law News 1 min. read

New credit card security rules for e-tailers


Internet retailers will have to improve their security and data handling processes in order to comply with new requirements published by the credit card industry. The new rules, from Visa and MasterCard, take effect on 30th June.
The Payment Card Industry Data Security Standard – the result of a collaboration between Visa and MasterCard – has the support of other card companies, including American Express, Discover and Diners Club, and represents a concerted effort to tackle identity theft and on-line fraud.It sets out procedures for handling cardholder information in a secure manner, and requires that merchants carry out a quarterly compliance check. All merchants are covered by the standard, although only those carrying out more than 20,000 transactions per year will be obliged to have their compliance verified.In brief, the merchant is obliged:
  • to install and maintain a firewall to protect data;
  • not to use seller-supplied defaults for system passwords and other security parameters;
  • to protect stored data;
  • to encrypt the transmission of cardholder data and sensitive information;
  • to use and update anti-virus software;
  • to develop and maintain secure systems and applications;
  • to restrict access to data on a need-to-know basis;
  • to give a unique ID to each person with computer access;
  • to restrict physical access to the data;
  • to track and monitor all access to the network and data;
  • to regularly test security systems and processes; and
  • to maintain an information security policy.
The requirements are backed by tough sanctions – including heavy fines and the threat of the withdrawal of credit card processing facilities.By using a single standard and enforcing it strongly the credit card industry hopes to stem the tide of identity theft and on-line fraud.Recent highly-publicised consumer privacy breaches include the loss of backup tapes containing the credit card information of 1.2 million federal workers by Bank of America, the loss of around 310,000 customers' personal information to identity thieves at a subsidiary of data broker LexisNexis, and the reported loss of transaction data belonging to around 180,000 customers of fashion house Polo Ralph Lauren.
We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.