LAS VEGAS - Concerned that too many Internet hacking incidents go unreported by merchants and third-party transaction handlers, Visa U.S.A. and MasterCard International say they are laying out stricter and clearer rules about how data should be handled, though they still will leave the decision to report breaches up to the individual companies.
Executives from the card associations said in presentations Wednesday at the Electronic Transactions Association's annual meeting here that the companies have developed programs aimed at making transactional Web sites less vulnerable to hacking, but that most incidents go unreported - or undetected - by the merchants.
A California law slated to take effect July 1 would require all companies in the state to notify customers when their personal information is compromised - not just through a Web site breach. Though the Visa and MasterCard executives did not address this law directly, their discussion of the online hacking problem painted the whole security problem in shades of gray, raising the question of how difficult it might be to determine whether a breach had occurred and whether it rose to a level that would merit a customer alert.
John Verdeschi, the director of e-business and emerging technologies at MasterCard, said it plans to publish new security standards next week as part of its Site Data Protection program, or SDP, which helps merchants analyze their Web sites from the "outside-in, providing a visual map of how a hacker views" the site.
In the past, he said, merchants did not "need to do technological due diligence," only financial due diligence. But times have changed.
SDP, begun in February 2002, categorizes risks found in the system, recommends improvements, and notifies Web site owners when new vulnerabilities are discovered. MasterCard's service collects all the security bulletins from software manufacturers and sends e-mail notices to merchants on the latest patches available.
Visa U.S.A.'s program goes a bit further. The Cardholder Information Security Program (CISP) addresses the needs not only of Web merchants but of all third-party service providers. The compliance date was originally May 1, 2001, but the "drop-dead deadline" is now Sept. 30, 2003, said Thomas Fowler, a vice president of Visa U.S.A.'s acceptance group.
CISP lists dozens of common-sense practices that Mr. Fowler calls the "duh list." They include installing and maintaining working firewalls, using and updating anti-virus software, restricting employees' access to cardholder data, and keeping security patches fresh.
"You'd be surprised at how a lot of these third-party entities out there just don't keep up-to-date with patches," Mr. Fowler said.
Simple steps such as changing the vendor's default ID password can make a system more secure, he said.
Ultimately, "anyone who touches Visa data must be CISP-compliant," Mr. Fowler said. That would include all processors, third-party service providers, Web-hosting companies, gateways, independent sales organizations, managed service providers, and Visa vendors.
Compliance with CISP must be validated by an independent security assessor approved by Visa, and who must use Visa standardized testing procedures.
"This is not a one-time requirement, but an annual requirement," Mr. Fowler said.
Penalties can be pretty stiff: The first violation could result in a $50,000 fine to members, a second violation could bring a $100,000 fine, and an "egregious violation" up to $500,000, Mr. Fowler said.
He said he expects there will be "some push-back" on the CISP-compliance requirement and the Sept. 30 deadline, but if companies were asked only "when they could be ready, they'd say, '2007.' There's too much risk to the system."
Chris Mark, a Visa-approved security assessor with the British company Cable and Wireless, said an assessment can take from six to 12 weeks, about 150 hours of work, and cost $10,000 to $15,000. But if "a lot of remediation" is needed the cost can spike to $65,000.
Web site hacking is so prevalent and can be so well disguised that only about 15% of all hacks are detected, and of those, about 10% of merchant hacks are made public, MasterCard's Mr. Verdeschi said. "There's not a lot of incentive to report them" because of bad publicity for the merchant, he said.
The good news: Only about 10% of those who hack into Web sites and possibly steal credit card information or other private consumer information are "competent programmers," Mr. Verdeschi said.
The rest are amateurs who use bulletin boards like insecure.org, piracy.com, and hackers.com that "tell you step by step how to break into Web sites," he said, noting that there are 30 hacker publications, 440 hacker bulletin boards, and about 400,000 hacking-tip Web sites.
The operators of these sites track software manufacturers' announcements of product flaws and of the security patches meant to correct them. The typical software program has hundreds of potential gaps, Mr. Verdeschi said.
When a company goes public with a new vulnerability, he said, "they notify the security community and the hacking community at the same time. It becomes a race. The problem is people don't download the patch."
Larry Ponemon, the chairman and founder of the Ponemon Institute in Tucson, which is dedicated to responsible information management practices, said in a separate conference session Wednesday that most corporations are woefully lacking in a comprehensive approach to consumer privacy issues.
Most companies have a privacy policy. But Mr. Ponemon, citing studies by his organization, said only about 8% of the policies are easy to read, only 15% are translated into multiple languages, and 12% do not note a redress process for consumers. And he said that only about a third of companies have budgets for privacy initiatives.
Such shortcomings can haunt a company if its Web site gets hacked and consumer information gets compromised, Mr. Ponemon said. The damage could be a "front-page story that can result in a decline in [the company's] stock price," he said.
His discussion included a couple of his own experiences with data collectors.
One company told him he was a graduate of the University of Kansas (he is not). Though the information might have been gathered for marketing purposes, it could be transferred and used to determine "whether I can get on an airplane," Mr. Ponemon said.
"Who's watching the watchers and making sure they're doing the right thing?" he added.
Another time, he completed a survey from a bank shortly after starting an account with it. He thought it went too far by requesting the names of his children, so he gave the name of his dog, Colonel Dan. The survey said all information the customer provided was confidential and would not be used in any promotion, but a few weeks after filling it out Mr. Ponemon got a letter addressed to "Colonel Dan, retired Colonel of the U.S. Air Force."
Bank executives told him they did not know how that could have happened, and promised to inform him personally what went wrong. A month passed and finally a form letter arrived in the mail noting that Mr. Ponemon could sue the bank.
More often than not, though, privacy breaches occur when "good people do foolish things," like keeping a Post-It of a password on the computer, he said.
Sound sign-up procedures are crucial, Mr. Ponemon said. "You have to have an enrollment process that's fail-safe. Otherwise you let bad guys into the system."
