December 12, 2006 12:23 PM PST

Visa takes carrot-and-stick approach to security

Hoping to accelerate the adoption of rules for credit card safety, Visa will offer $20 million in incentives for merchants and transaction service providers.

The goal of the incentives is to encourage merchants to stop storing credit card data, the credit card association said Tuesday. Earlier this year, Visa warned that the software that retailers use in card transactions may inadvertently store sensitive customer information, including PIN codes. Fraudsters can use this type of data to create duplicate cards.

"Visa is providing positive and negative incentives to merchant banks and card-accepting merchants to ensure that they are properly protecting card holder data," said Eduardo Perez, vice president of payment system risk at Visa.

Though credit card companies instituted common security rules for card-accepting businesses two years ago, only about one-third of the biggest merchants are compliant, Visa said in a statement. Smaller businesses are even further behind, the company added.

However, Visa said that most merchants are working toward meeting the security rules, called the Payment Card Industry Data Security Standard. The PCI security standard was developed by MasterCard and Visa. It aims to reduce the risk of an attack by mandating the proper use of firewalls, message encryption, computer access controls and antivirus software. It also requires frequent security audits and network monitoring, and forbids the use of default passwords.

Today, banks that deal with merchants face fines if those merchants don't comply with the credit card security rules. Critics, however, have said that enforcement is lax.

Sanctions and incentives
As part of the new initiative, Visa is creating sanctions for merchants that don't comply with the rules. In 2006, the credit card giant levied $4.6 million in fines, up from a 2005 total of $3.4 million, it said. The fines hit the banks, which may pass them on to noncompliant merchants, Perez said.

As for incentives, these are available to transaction service providers that deal with the largest 1,200 merchants. These sellers, combined, account for about two-thirds of Visa's U.S. transaction volume, the company said. The money is being offered to businesses that validate their PCI compliance by August 31, 2007, and that have not been involved in a data compromise.

In addition, Visa will give better rates to service providers that have certified compliance, another incentive for those that work with the larger merchants.

Rival credit card association MasterCard has its own programs to push credit card security, as do other credit card companies.

See more CNET content tagged:
Visa International, merchant, incentive, credit card, sanction


Join the conversation!
Add your comment
Not much of an incentive
Sadly, not much an incentive, for the banks involved for if you read the balance sheets, for every $ lost to fraud a minimum of ten to twenty times that value is lost annually in bad lending to bankrupt morons applying and extending their credit lines far beyond their ability to service the extensive debts incurred!

Given the simple fact they now operate credit card systems in full debt and cost plus recovery mode on both the merchant and consumer side of the fence, with even higher fees, interest and other off book charges, rarely do the losses from fraud exceed more than 1% of the the total card user base annual turnover with another 9% in the bad to doubtful debt range of which a fairly static 1 in five of those in the doubtful range will fallover into unrecoverable debt on an annual basis, which leaves the overcharging/reaming the remaining 90% of the card users being slugged additional taxes fees and charges, along with the entire merchant database!(chargebacks penalty fees and interest etc)

So where is the incentive?, for the banks to lift their security game, when they can easily tax the honest, to pay for the crooks and those who use credit cards to maintain an unsustainable life style or pay gambling debts!

I recall the biggest black spots for Visa card use is mainly in Indonesia and Malaysia(I once saw someone in Malaysia had access to Visa's banned card list, and when a certain card was removed from the list they proceeded to try and push through a further $100k in fraud on this particular card with a limit $1000, but since this particular merchant had only a small allocated limit of US$25 the entire balance was charged back and strange as it may seem two weeks later we received a letter from the acceptor Banks Merchant Department in Malaysia seeking details of the relative customer in question?

No incentive, when you can levy a tax on all the paying customers to cover all costs fees charges and any losses incurred on an annual basis, and if the losses go up so do all the merchant, customer fees and interest as well!
Posted by heystoopid (691 comments )
Reply Link Flag
(* ROFLOL *)
>>>The goal of the incentives is to encourage merchants to stop storing credit card data<<<

It's NOT the merchants... it's the illicit phishing sites and illegal SPAM which is causing the brunt of the problem. Taking a whack at merchants is like placing a screen door on a submarine to prevent leaks...

It does nothing to solve the REAL problem!!!

Posted by wbenton (522 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.