VP-ASP :: Shopping Cart Software

Shopping Cart Software Solutions for anywhere in the World

US/Canada(Toll Free): +1 888 587 2278
Europe/UK: +44 (020) 7193 9408
Australia/New Zealand: +61 3 9016 4497

VP-Cart StoreFront Customer Forum

Home | Profile | Register | Active Topics | Members | Search | FAQ
Save Password
Forgot your Password?

 All Forums
 VPCart Forum
 Credit card fraud and hackers
 Warning: Visa''s New Security Program in 2004
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

Starting Member

3 Posts

Posted - December 12 2003 :  10:32:13  Show Profile  Reply with Quote
In November 2003, a hacker ran a script that sent an email from our site to a small number of customers. The email requested credit card information. A few customers complained so we made the unfortunate decision to report this to our merchant bank as a precaution.

MasterCard required a statement saying that we do not store payment information on the server. Discover and American Express never contacted us at all.

Visa, however, has been relentless. They may very well put us and our hosting company out of business. And everyone involved has unanimously determined that, in fact, no sensitive customer information was even compromised. Doesn't matter.

We have found out, as a result of the experience, that Visa has been busy enforcing their latest fraud prevention program (known as CISP) on larger merchants and most payment gateways. In 2004, this program will be enforced with ALL merchants and hosting companies.

Read more about it here: http://www.usa.visa.com/business/merchants/cisp_index.html?it=h2_/index.html

Take a moment to read the Compliance Questionnaire that ALL merchants and ISPs will have to complete: http://www.usa.visa.com/media/business/cisp/ComplianceQuestionnaire.pdf

This is not just for Amazon, WalMart, etc. It's for ALL merchants.

This program requires that all merchants taking Visa online must pass payments through a CISP-certified hosting company. However, there are currently NONE out there. The alternative is to redirect to a CISP-certified payment gateway's payment form so the credit card details never pass through the merchant's site or server. This is the only thing close to a reasonable solution we've been able to get from Visa.

Why are there no CISP-certified hosting companies out there? Because it costs up to $90,000 USD for an independent on-site audit for "larger" companies. For the smaller hosting companies, you may only have to have a remote audit done thats "very affordable" according to Visa. This will be somewhere around $5000 USD, if you pass inspection on the first go.

In 2004, Visa will "roll out" this program to all of us and require that an independent security firm audit all merchant sites AND the servers they are hosted on. Here's a quote from an email from our merchant bank: "As far as your scans, we don't know what Visa's plans are but we know they will require some sort of scanning service performed for all merchants who have an Internet presence. It would not be a weekly scan. It may be quarterly - we just don't know yet. This program will roll out sometime in the first quarter of 2004 and again, all merchants who have an Internet presence will be required to enroll."

So, merchants will have to pay to have scans run on their sites and continue to pay for follow-ups until the scans satisfy Visa. This is not a one-time thing. It will be on a regular basis. It will be even more intesive and expensive for hosting companies. A remote security audit will cost around $5000, more if you have to remediate any issues and follow up. It is not clear whether or not a hosting company will HAVE to do this if all of their ecommerce sites switch to payment processing through a gateway. Based on what we've heard though I imagine they will have to "enroll". According to Visa's site, fines for non-compliance or failing to correct problems they find during the scans start at $50,000 USD.

Here's an interesting quote from Visa: "Any merchant running an ecommerce site should have an IT department." It's obvious (if not amazing) that Visa knows very little about the majority of the ecommerce sites and hosting companies out there operate.

We're planning to put up a web site to document our experience and warn the internet community in advance. But we thought we should start here.

For now, feel free to email us at [email protected] if you have questions.

Edited by - LionMedia on December 12 2003 16:08:40

Mark Priest
VP-ASP Expert

United Kingdom
573 Posts

Posted - December 13 2003 :  01:35:01  Show Profile  Reply with Quote
Visa will never go through with it. It would put them out of business!! why, people would switch to other cards!


Go to Top of Page

Starting Member

3 Posts

Posted - December 13 2003 :  18:40:35  Show Profile  Reply with Quote

One would think they would understand that. hope this is the case but I would recommend that all merchants contact their merchant banks just to ask a few questions and make some noise if necessary. The most surprising part is they don't believe the requirements "are unreasonable nor difficult to do". I received this information personally from the Director of eCommerce Risk, Visa USA so I took it seriously enough to spread the word.

MasterCard has a similar program in the works but we're not clear when/if they plan to follow Visa's lead.

Also, we are a US-based business so I'm not sure how it will affect the International community.

Tracey W.

Go to Top of Page

Starting Member

United Kingdom
37 Posts

Posted - December 13 2003 :  19:20:08  Show Profile  Visit uksports's Homepage  Reply with Quote
From my reading of this,it is focused at the Payment Service Providers, not at individual merchants, unless you are big enough that your servers communicate directly with the banks computers.

99% of merchants will use a PSP (we have a merchant account but use WorldPay as the PSP) and it is the PSPs system that will be required to meet these requirements.

So unless you're amazon or ebay, it won't impact you directly, and it will be the PSP who will be required to set the standards that thye require.

This is a similar story to the one earlier in the year regarding massive fees that turned out to only involve large adult related sites that had massive chargeback liability.

Go to Top of Page

Starting Member

3 Posts

Posted - December 13 2003 :  20:33:09  Show Profile  Reply with Quote
Yes, we have been told that Visa is rolling this out in phases, starting with the gateways and large merchants. Starting in 2004, the medium to small merchants and hosting companies will be next. This is published on their web site: http://www.usa.visa.com/business/merchants/cisp_index.html?it=h2_/index.html

If a merchant is redirecting payments through the payment gateway's payment form and not storing or processing payments through the site or hosting company, then you should be ok. But then we received this from our merchant bank: "But we know they will require some sort of scanning service performed for all merchants who have an Internet presence. It would not be a weekly scan. It may be quarterly - we just don't know yet."

We stumbled upon this (very unfortunately) by accident and hopefully it will turn out to be nothing. But I would still recommend contacting your merchant bank to at least ask some questions.

Go to Top of Page

Starting Member

5 Posts

Posted - December 24 2003 :  19:00:29  Show Profile  Reply with Quote
Hi There,

We are actively working towards encouraging our customers to pay via direct deposit. This eliminates the card companies and all the rest that goes with it. :) Reducing the risk, worries, etc.

The merchant has been in the past, and will be in the future, fully reliable for any transaction that has gone bad.
The system could be so much more effective, if the card holder's name and/or address could be verified, not by disclosing it, but by returning a true/false flag from the payment gateway... but privacy excuses are being used by the banks against this approach.

I concur with Mark, most merchant would not accept these cards anymore... whether it pans out is another matter. In case a company can fork up the money to comply, it will use it to its advantage.

Happy Xmas, and a prosperous New Year.


Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000