VisaNet

• case

VISANET PREPARES RETAIL FOR PCI

Payment Processor with Visa credit card leans on Modulo Risk Manager to evaluate internal processes and adapt accredited retailers to the new security standard

AFTER 12 YEARS IN THE MARKET and more than 1 million commercial establishments throughout Brazil for capture and transmission of payment transactions with Visa credit cards, this year VisaNet still has another challenge to make its operation grow.

The company assumed goals with Visa International so that by late 2007, about 40% of their accredited and eligible shopkeepers comply with the Payment Card Industry / Data Security Standard (PCI DSS).

This rate should rise to 70% in 2008 and reach 100% in December 2009, when expires the period for all those who operate with credit card in the world market to put into practice the 12 electronic payment security requirements required by PCI DSS. The new standard is an industry initiative to reduce frauds and make cards transactions safer.

To meet the pre-established plan, VisaNet created two programs for PCI adaptation. One internal and another external, to evaluate its network of accredited establishments. This work demanded investments in new technologies for process auditing. A request for proposal was opened and the company ended up opting for Modulo Risk Manager software, a Risk Management and Compliance system authored by Modulo. “We researched the market and the only tool we found prepared to audit our PCI processes was the one from Modulo”, says Sérgio Cloves, information security manager at VisaNet.
With the new platform, VisaNet began in June 2006 to get ready to meet the new standard’s requirements. With the help of Modulo's consulting team, the company applied a questionnaire to analyze risks in 60 internal systems. Analyses with Modulo software were also extended to companies that render third-party services to VisaNet: EDS, Tivit, OR-Service, Proservvi, Embratel, Telemar and Interchange. After x-raying the partners’ internal processes and operations with its business to measure the degree of PCI compliance, the company defined a plan with the necessary actions to meet the regulation. According to Cloves, VisaNet is now working in this phase, and expects that by late 2007 the company will comply with all security rules defined by the standard.

Cloves says that by using Modulo Risk Manager, VisaNet quickly completed the first phase of process analysis. The project was accomplished in 60 days, meeting the goals set by Visa. “Without this tool we couldn’t get the job done as planned. We saved precious time because the software was created for PCI.”

ON-LINE AUDITING

After testing internally Modulo’s Risk Management solution, VisaNet decided to use the same technology to assess PCI compliance in its network of accredited establishments, by creating a program that started to be arranged last year to assist member and eligible establishments, who were hence divided in two groups. The first includes major retailers, responsible for 80% of credit card payments, and totalizing 340 networks. The second comprises shopkeepers, who process the remaining 20% of the transactions, within a network of 3.6 thousand establishments.

VisaNet’s risk control manager Henrique Takaki believes PCI won't reach 100% of its network of accredited establishments, as the small shops that make few card transactions will most likely be left out. “The greater risk rest in establishments that perform many card payment operations”, according to the executive”.

VisaNet Operation

VisaNet has been operating in the market since 1995, when Visa International joined a group of Brazilian banks (Bradesco, Banco do Brasil, Real and the extinct Banco Nacional) to create a company dedicated to capture and transmit credit card transactions made at commercial establishments. Until then, this work was jointly performed by banks and Visa. Each financial institution launched their own cards and created their own solutions to capture payment information at stores.

The new company was born to take over that role, managing the relationship with commercial establishments that accept Visa cards as a payment option, and efficiently manage a secure, high-availability network. Freed from that task, the banks could focus on granting credit and issuing plastic to the holders.

Today, VisaNet has 20 financial institutions associated, and a network of 790,000 POS terminals interconnecting more than 1 million establishments throughout Brazil. Besides processing credit card payments, the company manages other products like Visa Electron, Visa Vale Pedágio (toll) e Refeição (meal) and Alimentação (groceries) Visa Vale, providing monitoring solutions that guarantee safer transactions. The company is one of the world’s ten greatest organizations in the industry, with a network able to process more than 2 billion transactions a year.