ARLINGTON, Va. – In a move which could help ease the worries of credit unions about card data security, Visa and MasterCard have teamed up to generate one uniform standard for merchants and merchant processors who accept transactions from either one of their card brands. In a rare joint interview, John Shaughnessy, a senior vice president with Visa and John Verdeschi, vice president for eBusiness for MasterCard, outlined some of the parts of their agreement and how they believe that it will help bring some order to a part of the industry which has remained too complicated for too long. “I think I speak for both of us when I say card data security is not a competitive issue between Visa and MasterCard” said Shaugnessy, “so it’s to everyone’s advantage to make the sorts of changes we are making.” Verdeschi agreed, noting that the two major card brands, along with other cards, shared the same goal but still had different technical requirements, documentation and different sets of vendors. Other card brands which will support the new standard are American Express, Discover, Diner’s Club and Japanese card brand JCB Ltd. The issue of who keeps card data and how secure they keep it has risen among credit unions in the last 12 months. As the volume of merchandise and services purchased on the Internet continues to rise, some credit unions have faced losses from card data security breaches at retailers. Back in August 2004, the $2.1 billion Pennsylvania State Employees Credit Union sued BJ’s Wholesale Club and its merchant processor for roughly $100,000 over the damages the credit union alleges it received after hackers stole some of its members card data from the retailer. The court case is ongoing so neither Shaughnessy nor Verdeschi would comment on it specifically, but they did point out that a situation where a merchant or processor had to follow multiple procedures and multiple forms to secure card data should be alleviated by the new standard. The existing standards for each company include such things as firewalls, file formats, documentation and approved vendor partners for setting up security arrangements. Now, both men said, merchants should be able to apply one uniform standard to their data protection. The new documentation and requirements are available to merchants now, the men said, but both pointed out there is compliance with the new standard and verification. Shaughnessy likened it to a speed limit. The speed limit on a highway might be 70 miles per hour and that is compliance, he illustrated. But the verification is like the cop that has the radar, he added. Both associations have implementation schedules which include both compliance and verification schedules. The next major deadline by which time most merchants will have to be both compliant and verified with the new standards will be June 30, 2005. But neither executive would comment on what might happen to firms which do not become compliant to the new standard. Each association maintains its own system of penalties for merchants and processors who do not comply with their security rules and would continue to do so, the executives said. -

dmorrison@cutimes.com