[ISN] Visa Security Summit Has Some Advice For Everyone

From: InfoSec News (alerts@private)
Date: Sun Mar 11 2007 - 23:10:34 PST


By Larry Greenemeier
March 10, 2007

The tensions and problems surrounding the security of electronic 
customer data and online transactions got a proper airing last week, 
when Visa held a security summit in Washington, D.C. It seems everyone 
had some advice for others in the transaction chain.

Visa USA president and CEO John Philip Coghlan wasn't cutting retailers 
any slack for data breaches. "The majority of compromises come from 
storage of prohibited data and retailers using vulnerable systems to 
process data," Coghlan said. Just one-third of the largest merchants -- 
those processing more than 6 million transactions a year -- comply with 
payment card security standards. Visa this year will offer incentives 
for compliance, such as giving its lowest fees to those that are 
compliant before October, plus it will levy fines for noncompliance.

But retailers would like more help from Visa, too. Department store 
Nordstrom in 2005 increased its security efforts as Visa began 
emphasizing compliance. But Nordstrom executive VP Daniel Little would 
like the card companies to offer better guidance on how companies should 
rank data risks. "That would help us identify the highest-priority 
issues," he said. Little and his team conduct weekly meetings related to 
payment-card compliance, and he provides quarterly reports to the 
company's board. "Information security and privacy are in the top five 
of our risks," he said.

For eBay CEO Meg Whitman, scams are one of the biggest business risks 
because of the potential loss of trust. She outlined some of eBay's new 
security tools and strategies. "Security on the Net is actually an arms 
race in its most classic form," she told the summit.

EBay and its PayPal group are the favored target for phishers. To ensure 
that customers can identify legitimate eBay E-mails, the company 
includes a digital signature on every one it sends. It's trying to 
convince Internet service providers to route only E-mails that contain 
this signature. Another measure is a PayPal security key that creates a 
random code to authenticate each transaction. "It's a combination lock 
for your PayPal account," Whitman said. It's been in beta for about a 

Whitman also thinks banks and card companies could do better. She noted 
bank card networks receive information about fraudulent transactions 
days and sometimes weeks before merchants do, and that's a major 
problem. EBay wants to know about fraudulent payment accounts before its 
users ship goods to the perpetrators.

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Sun Mar 11 2007 - 23:24:15 PST