In 2005, Visa put forth a set of guidelines, Payment Application Best Practices (PABP), for anyone involved in the chain of a VISA transaction on the internet, or off. During the early phases, only large merchants were 'put to the screws' with costly validations by independent certification agencies, now known as Qualified Security Assessors (QSA) - the 'CSI' forensic labs of our technology field. Small to medium businesses (SMB's), and their suppliers in the VISA chain, simply had to 'self certify' that they were following the rules, until now...
Five years have passed, and now we're into the final phase of VISA's 'Compliance Mandates' and still, the majority of SMB's appear to be unaware, unconcerned, or simply believe the rules won't apply to them. We've heard it all, "We're using a custom ecommerce solution so we're not required to be certified, we don't store credit card numbers in our database, we're using a 'PCI compliant solution', or we do less than a million a year in sales, so the rules don't apply to us", or do they?
If you accept credit card transactions directly on your website, where the payment form or checkout page asking for the credit card data is hosted on your domain then you should keep reading. However, if you are only using a certified offsite payment solution such as PayPal Express, Google Checkout or similar systems, where the customer is directed to another site to make a payment, then fortunately, the rules don't apply to you.
You might be a little concerned right now and you should be. As of July 1st, everyone in the chain of a VISA transaction must be using systems and applications certified compliant by a QSA. Just like the big boys, you can no longer just claim you're 'compliant' - and if you don't follow the rules, then you won't get protection when you have a breach. Just like Visa protects it's cardholders from fraudulent transactions, if they follow the rules, Visa may protect you, as a merchant, from the expenses of a breach, if you follow the rules. Since these breaches are so very costly, expect Visa to be carefully watching the 'naughty and nice' list.
Any breach is almost certainly equal to a death sentence for any unprotected SMB.
Even if you don't have a breach, come October, the 12-month deadline on Phase 4 looms where VNPs and agents must decertify all vulnerable payment applications. Which really means that, quietly in the background, merchant account providers and payment gateways are compiling a list of 'vulnerable payment applications' which they must decertify within 12 months of identification. Products at most risk for decertification are high profile open source products, that most certainly have been identified by multiple VNPs and agents by now.
If you're unable to move to one of the few certified solutions, such as AbleCommerce, you can buy some time by offering only offsite payment methods such as Google Checkout. However, sales will be lower when you are unable to offer onsite payment options.
On July 1st, 2010, Visa can make you pay for a breach, or investigation of a breach, if you are not following the rules. Are you ready?
Sources -
Background information on the Payment Application Security Mandates is available at the following URL: usa.visa.com/merchants/risk_management/cisp_payment_applications.html#anchor_3 usa.visa.com/merchants/risk_management/cisp_payment_applications.html#anchor_3
The list of Validated Payment Applications is available at the following URL:
No comments:
Post a Comment