⚠ We would appreciate if you would disable your ad blocker when visiting our site! ⚠

12 Steps To Safe Swiping: New CC Security Standards

Order a reprint of this story
Close (X)

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.


March 01, 2005
Special Section | Credit Card Compliance
Dr. Matthew Dunn - matthew@socratech.com

View Magazine Version of This Article

© 2005 Hospitality Upgrade. No reproduction without written permission.

Try this hypothetical on for size: a new desk clerk copies a client’s Visa number from an e-commerce booking and buys a new MP3 player. Pop quiz: what’s your liability?

If your credit card data handling is up to scratch--CISP certified--it may be the mythical $50 limit. If you haven’t gotten around to CISP yet, add four zeros to that figure. Does that get your attention?

The purpose of this article is to bring the Visa CISP (Cardholder Information Security Program) program, and similar programs, to your attention. MasterCard has SDP; American Express has DSOP; and Discover has DISC, but we’ll just call it CISP for short.

CISP aims at ensuring the security of cardholder data—and in turn, transactions and personal privacy. Visa and MasterCard have defined standards for the processes and systems related to customer data. The standards, known as the PCI (payment card industry) Data Security Standard, define the criteria for safe handling, and define the basis for Visa’s validation of compliance.

The program is relevant in different ways depending on your company’s transaction volume. Visa groups it like this:

Level 1: Companies that handle more than 6 million transactions a year. (If this is the first you’ve heard of CISP, you’re out of the loop at work because you’re probably already CISP certified. Deadline: 9/30/04)

Level 2: Companies that process 150,000 to 6 million Visa e-commerce transactions a year. (Cancel those HITEC tickets if you’re just starting. Deadline: 6/30/05)

Level 3: Companies that process 20,000 to 60,000 Visa e-commerce transactions a year. (They couldn’t spare you for HITEC anyway, but same cutoff. Deadline: 6/30/05)

Level 4: Companies that process fewer than 20,000 Visa e-commerce transactions per year read this article anyway. (Fine print: “Level 4 merchants must comply with CISP, validation determined at discretion.” Deadline: TBD )

The reason these levels and deadlines should be of interest to you is, quite simply, your company will have to comply sooner or later. And although the CISP/PCI standards are reasonable, sensible, prudent and all that other stuff, adhering to them requires process control and rigor. If your company isn’t CISP-certified already, you’re likely to have to make changes to get there.

Take your knowledge of the way your company (and your systems) handle cardholder data, and put it up against the 12 PCI data security standards. See the sidebar on page 122 to take the test.

So, assuming you’re reading this because you’re not CISP compliant yet, some of these issues require detailed work encompassing people, processes and systems. In fact, the workload goes beyond your walls to include your technologies and services vendors. Those 12 bland phrases imply a pretty serious effort.

Far too frequently, an external mandate that includes standards or systems gets tossed by default on the technology workpile. Let me suggest that this isn’t “an IT thing,” it’s a business thing. Let’s look at a few pragmatic ways to get compliance efforts rolling.

Executive ownership. Someone with a C in their title cares about this issue, because, let’s face it, credit cards are the cashflow lifeline. Get clarity on who is responsible for achieving compliance and where it sits in his or her objective and budget.

Awareness. For any security issue, workplace culture is the best ally or worst adversary. I’m not suggesting pop quizzes on the 12 standards, but practical stuff like training, reinforcement and recognition.

Broaden the circle. If you’re a Level 2 to 4 company, you’d be well served to figure out which of your partners is already motivated and equipped to help you with this problem. If you have a credit card processor, start there. (And if they’re not CISP certified, you should be asking some very serious questions.)

Systems vendors are the next logical target. Doing some of what Visa et al want done requires their help. Some vendors have made a clear public commitment to CISP; Sophie Grigg, vice president of research and development for PAR Springer-Miller Systems, said, “We are modifying code to include extra levels of encryption across all applications to support our customers’ need to comply. It’s defined as a project across all of our development teams.”

If you’re on the hotel side of the equation, you can and should ask your key vendors to step up to the plate.

Motivation won’t be a problem in any case. So saith Visa, “Members receive protection from fines for merchants or service providers that have been compromised but found to be CISP compliant at the time of the security breach. Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not CISP compliant at the time of the incident.”

Wow, that ought to light a few fires!

Dr. Matthew Dunn is principal of Socratech, Inc., a consulting firm specializing in Internet strategy for hospitality and other industries. He can be reached at (360) 543-7914 or matthew@socratech.com.

want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.