Akamai, I fully agree, the card associations are making it up as they go and there is A LOT of confusion in the industry. Last September, we help a security summit and had representatives from VISA, MasterCard, AMEX all together in an open forum session and many of the topics that our merchants were bringing up had no answers -- they didn't have a clue on how their own rules effected merchants or if fines would be assessed under various situations.
We do quite a bit of hotel processing business with adv. deposits, check-in's and check-out's, etc. A big topic that could not be answered was travel agents. They work on behalf of the hotel (technically) but if a breach happens within one of the 20,000 or so travel agents (which is very likely), who is liable and who will get any assessed fines? (Even though in many cases, the hotel never sees the credit card info nor do they have any idea how secure or insecure these agents are).
Basically, my point is yes, they are making it up as they go. In their defense, much of the entire security industry could be classified as "making it up as they go" -- as the hackers change tactics, so must the defenses. Where I believe they are failing is that one hand is trying to be the security experts and cops of the industry while the other hand do not want to put real teeth in their rules for fear of alienating merchants and losing business. Fines are a good example. VISA several times clarified, at our summit that VISA does not fine merchants, VISA fines member banks -- and that's as far as they went. But what this means is that each member bank can interpret the rules and define their own rules and enforcement policy. Net result: Confusion, confusion, confusion.
Back to Bo, I'm not taking it personally. My only issue is the thought that the card associations and third party processors are one and the same. In reality, VISA in particular, didn't even recognize the existence of third party processors. As far as they were concerned, there were member banks (the "in" crowd) and everyone else (or in their case, no one else). The card associations define rules that everyone in the mix, including third party processors, must abide by, but they are different organizations. Your argument is incorrect, they are pointing the finger at the third party processor in this case and they have demanded fines and called for changes. I previously quoted "working" in my previous posting. By "working", they were determining the exact failures and figuring out 1) if all the current rules were followed, 2) if new rules needed implemented (in this case, I don't believe so, the issue was a failure to follow the existing rules), 3) the real size and extent of the breach and 4) the fine and the probation period (I believe twenty years, quarterly scans and yearly onsite security audits, possibly more).
The idea that "they are not following their own rules" is incorrect -- the card associations are doing everything they can to make sure "they" are following the rules.
Steve Sommers
Shift4 Corporation --
Creators of $$$ ON THE NET(tm) payment processing services
![[bigsmile]](/data/assets/smilies/bigsmile.gif "[bigsmile] [bigsmile]")
). I'm sure I could be wrong but it is just my opinion and posistion, and hopefully others who read this thread may not concur but read it and be inlightened on things they might not be aware.![[peace]](/data/assets/smilies/peace.gif "[peace] [peace]")