[Dataloss] CardSystems Settles FTC Charges
Adrian Sanabria
adrian.sanabria at gmail.com
Mon Feb 27 20:43:46 EST 2006
Mastercard doesn't keep a list, and neither do AMEX or Discover. VISA
was the first to organize data security requirements, and although the
other card companies were putting together their own programs, they
opted to adopt VISA's instead. So, if you're in compliance with PCI,
you are in compliance with VISA, Discover, AMEX and Mastercard. That's
why AMEX dropped Cardsystems the very next day, after VISA's
announcement to do so.
I believe the agreement is the same internationally, where VISA's data
security program is referred to as AIS instead of PCI.
I also believe that VISA will be the first to enforce minimum
requirements for payment applications (PC-based apps that allow
merchants to swipe and enter credit card numbers, then send them off
for processing). They currently only have best practices posted:
http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_Payment_Application_Best_Practices.pdf?it=il|/business/accepting_visa/ops_risk_management/cisp_payment_applications.html|Payment%20Application%20Best%20Practices
It is very interesting that Pay by Touch isn't on the list. They seem
to keep the list fairly up-to-date also...
On 2/23/06, Chris Walsh <cwalsh at cwalsh.org> wrote:
> Interesting that Pay By Touch (which now owns Cardsystems) says
> (http://www.paybytouchpaymentsolutions.com/about.html) that they are
> "VISA Cardholder Information Security Program (CISP) Compliant", but
> VISA's list of CISP compliant service providers (http://usa.visa.com/
> download/business/accepting_visa/ops_risk_management/
> cisp_List_of_CISP_Compliant_Service_Providers.pdf), dated 2/1/2006,
> includes neither CardSystems nor Pay By Touch.
>
> The PCI Data Security Standard is one MasterCard and VISA require
> adherence to, and it mandates on-site assessments for processors as
> large as Cardsystems. I specifically remember Amex and Visa dropping
> Cardsystems, but I do not have a similar memory for MasterCard.
> Unfortunately, I cannot find a list of MasterCard's approved
> processors, analogous to the VISA list above.
>
>
> On Feb 23, 2006, at 8:17 PM, lyger wrote:
>
> >
> > In the case of CardSystems and their new companies, it might be
> > because
> > VISA is no longer doing business with them?
> >
> > http://attrition.org/errata/dataloss/cardsystems04.html
>
More information about the Dataloss
mailing list