In an attempt to reduce online credit-card fraud, Visa USA in San Francisco has announced 10 "commandments" for online merchants to guard its cardholders' information. According to media sources, Visa intends to follow up this announcement with the release of the details of a broad online security program.
John Shaughnessy, Visa's senior VP for risk management, said merchants would be required to obey these rules or face fines, sales restrictions or loss of membership.
The rules won't go into effect immediately but will be phased in over the course of a year, starting in the fourth quarter, Visa spokeswoman Angie Grothoff said.
The first sector that will have to comply are gateways and Internet service providers. Visa partners would be expected to be compliant in the first quarter of next year; major Internet "pure plays" in the second quarter, third parties in the third quarter and other merchants in the fourth quarter.
Among the new requirements, merchants must install a firewall, keep security patches up-to-date, encrypt stored and transmitted data, use and regularly update antivirus software and restrict employee access to sensitive data to a need-to-know basis.
Merchants must also assign unique IDs to everyone with access to data, track access by ID, avoid using default settings for passwords and regularly test security systems.
Brian Buckley, Visa's VP for product risk and analysis, said these security initiatives are expected to reduce Internet transaction disputes by up to 50 per cent.
According to a recent survey by Gartner Group, credit-card fraud is 12 times higher for online merchants than their offline counterparts.
About 1.1 per cent of online credit-card transactions involve stolen card numbers, according to Gartner analyst Ken Kerr. Online merchants have to bear the cost of the scam, while the credit-card companies usually take care of the bill for fraudulent face-to-face transactions, he added.