Credit Card Companies Adopt New OnlineSecurity Measure

NEW YORK - (04/25/05) -- Plagued by a rash of recent securitybreaches, Mastercard, Visa, American Express, Diners Club and JCBCards are all requiring Internet retailers to adopt a new onlinesecurity system, known as Payment Card Industry Data SecurityStandard, by June 30, or face significant fines. The broadadaptation will require retailers to carry out a 12-step securityaudit, be certified annually, and checked every three months andcomes as a growing number of online thefts of cardholders' data isbeing reported. Last year, 163 credit unions were forced to recalltheir credit/debit cards because of a security breach at BJ'sWholesale Club. Two weeks ago HSBC warned 180,000 customers of itsGeneral Motors-branded MasterCard to cancel their cards in the faceof possible theft from retailer Polo Ralph Lauren. And just lastweek, Lexis Nexis reported that hackers had gained access to itsdatabase, possibly gaining access to customers' data. Among therequirements under PCI are that retailers: install and maintain afirewall; do not use vendor default passwords on IT products; provestrong protection of stored data; encrypt cardholder datatransmitted over public networks; install anti-virus software;control access to data on need-to-know basis; restrict physicalaccess to cardholder data; and frequently test security systems andprocesses.