Visa's new rules for online purchases

Visa, the world's biggest payment card network, said on Wednesday it was setting 10 new security rules for transactions done over the Internet by its more than 21,000 member financial institutions and their merchant partners.

BETHESDA, Md. -- Visa, the world's biggest payment card network, said on Wednesday it was setting 10 new security rules for transactions done over the Internet by its more than 21,000 member financial institutions and their merchant partners.

Visa tied the moves to combating online fraud -- running at more than three times the rate of card fraud overall -- as well as to boosting consumer confidence in electronic commerce. It said it was also eager to head off possible new government regulatory action by policing itself.

John Shaughnessy, senior vice president for risk management for VISA U.S.A., said the new requirements -- including a network "firewall" to protect data accessible from the Internet -- will be phased in worldwide over the next year after they are spelled out in detail in a "few weeks."

Member companies tested Visa will work with members to monitor compliance and use outside experts to test firewalls, starting at Internet service providers and similar "gateway" portals that provide card payment services for commercial Web pages they host, he told a Bethesda conference on business solutions to cybercrime.

Visa's new requirements include updating security systems, encrypting network information and using the latest anti-virus software.


The rules are meant to be respected ultimately by all merchants accepting VISA cards, the world's most widely accepted form of "plastic" payment, Shaughnessy said. "If you're a merchant, this is stuff you want to do," he said. "It's just good business. It's as simple as that."

Enforcement could involve fines, restricting the dollar amount of sales that individual merchants could process through the network or terminating their VISA membership.

The new requirements include keeping security systems up to date, encrypting stored data accessible from the Internet, encrypting data sent across networks, and using and regularly updating anti-virus software.

Deleting defaults Also, those accepting VISA payments must not use vendor-supplied defaults for system passwords and other security passwords. They must assign unique IDs to each person with computer access to data; track access to data, including "read only" material, by unique ID; regularly test security systems and processes; and immediately investigate and report to VISA any suspected loss of cardholder data.

VISA U.S.A. announced in February that its overall fraud loss had dropped to an all-time low of six cents per $100 in transactions, down from seven cents in 1998 and 18 cents in 1992.

But fraud in "card-not-present" transactions -- such as telephone and mail-order sales -- totaled about 15 to 20 cents per $100 in 1999 and the Internet-related part of that is typically higher, Shaughnessy said. He said the biggest source of such fraud was stolen account numbers.

"We feel like we can take a leadership role" in managing such fraud, making it unnecessary for the government to get involved, he said. "We want to do it this way."

In 1998 about $1.4 trillion in products and services were purchased using the 600 million VISA cards accepted at more than 17 million places worldwide, according to VISA.

Of the total VISA U.S.A. card volume of $724 billion in 1999, about 2 percent involved online purchases. VISA projects this will quintuple to 10 percent by 2003, according to Angela Grothoff, a spokeswoman in New York.

With more merchants doing business online than any other card company, "Visa is in a position to really impact the security of online commerce" with its new rules, she said.