A recent change in MasterCard Inc.'s PCI compliance requirements means merchants processing between one million and six million transactions annually will likely have to spend more time and money on PCI compliance.
Under the new rules, Level 2 merchants must hire a PCI-approved auditor to complete an annual onsite data security assessment by Dec. 31, 2010. Previously, those merchants were only required to complete an annual self-assessment questionnaire in order to comply with MasterCard's Site Data Protection Program. The Payment Card Industry Data Security Standard (PCI DSS) forms the baseline for MasterCard's Site Data Protection Program.
The changes were announced in MasterCard's Global Security Bulletin on June 15 and distributed to MasterCard acquirers and processors, according to Chris Monteiro, spokesman for the Purchase, N.Y.-based company.
"The current enhancement of validation requirements for PCI compliance provides for independent third-party review, enabling consistency of application and implementation of DSS requirements," Monteiro wrote in an email.
Video - PCI compliance requirement 1: Firewalls: PCI experts Diana Kelley and Ed Moyle review Requirement 1 of the Payment Card Industry Data Security Standard, which includes a mandate for stateful inspection firewalls.
Cybersecurity hearing highlights inadequacy of PCI DSS: Lawmakers call the PCI standard lacking and seek significant improvements to the payment processing infrastructure to enhance security.
RBS WorldPay regains spot on Visa's PCI compliance list: Payment processor returns to Visa's list of service providers that are compliant with the PCI Data Security Standard.
MasterCard estimates fewer than 2,000 merchants will be directly affected by the revised rules. The onsite assessment must be conducted by a Qualified Security Assessor; the PCI Security Standards Council governs training and approval of QSAs.
Diana Kelley, founder and partner at consulting firm SecurityCurve, said onsite assessment aren't cheap; prices vary significantly depending on the number of locations that need to be assessed.
"Even though it's going to cost Level 2s money -- and most likely time too -- I think it makes sense to have them go through an on-site independent assessment," she said. "Self-assessment is fairly tricky. It's easy to overlook something significant in your own environment."
Indeed, when VeriSign QSAs are called in to review a self-assessment questionnaire (SAQ), they find a lot of mistakes, said Branden Williams, PCI practice director at VeriSign Inc.
"They just don't have the experience and don't really know how to answer some of the questions," he said. "And it can cause companies to spend a lot more money on remediation than they need to."
Some merchants are fighting the change, Williams said, but he called it a smart move by MasterCard. Many Level 2 merchants are actually large companies and many are household names, he said.
Visa Inc., however, is not planning similar changes in its PCI compliance requirements. In a statement released Friday, the San Francisco-based company said it believes its "approach to compliance validation provides large merchants greater flexibility to choose the validation method that best works for their business, while also driving the payments industry towards greater data security.
"Through a combination of incentives, fines, training and resources, Visa has created a risk-based compliance framework that is responsive to merchant needs and encourages ongoing vigilance in data security," Visa continued. "Mandating on-site assessments for all Level 2 merchants may introduce potentially unnecessary costs to merchants in an already challenging business environment, without a demonstrated increase in security. While Visa always encourages merchants to invest in objective, third-party reviews, the industry must recognize and support merchants with the internal capabilities and expertise to conduct thorough self assessments."
Chris Mark, CEO and president of consulting firm The Aegenis Group Inc., also criticized MasterCard's added requirement. He noted in a blog post that all the companies involved in the five largest breaches had been assessed or were in the process of being assessed by a QSA.
"One has to question the value of requiring more merchants to engage QSAs when the anecdotal evidence suggests the use of a QSA does not appreciably reduce the likelihood of a breach," he wrote.
VeriSign's Williams said Level 2 merchants should have a PCI QSA conduct a basic readiness assessment to see how accurately they've answered the SAQ and whether they're working on the most appropriate version of the SAQ for their business. Work needs to start now in order to have time for any remediation and to meet the compliance deadline, he said.
MasterCard's new requirements ultimately put more pressure on the PCI SSC to focus on QSA quality assurance, Williams said. "Everyone knows there's good and bad QSAs," he said.