MasterCard increases PCI compliance requirements for some merchants

By Marcia Savage, Features Editor, Information Security magazine 29 Jun 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A recent change in MasterCard Inc's PCI compliance requirements means merchants processing between one million and six million transactions annually will likely have to spend more time and money on PCI compliance.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Under the new rules, Level 2 merchants must hire a PCI-approved auditor to complete an annual onsite data security assessment by Dec. 31, 2010. Previously, those merchants were only required to complete an annual self-assessment questionnaire in order to comply with MasterCard's Site Data Protection Program. The Payment Card Industry Data Security Standard (PCI DSS) forms the baseline for MasterCard's Site Data Protection Program.

The changes were announced in MasterCard's Global Security Bulletin on June 15 and distributed to MasterCard acquirers and processors, according to Chris Monteiro, spokesman for the Purchase, N.Y.-based company.

"The current enhancement of validation requirements for PCI compliance provides for independent third-party review, enabling consistency of application and implementation of DSS requirements," Monteiro wrote in an email.

PCI DSS: Video - PCI compliance requirement 1: Firewalls: PCI experts Diana Kelley and Ed Moyle review Requirement 1 of the Payment Card Industry Data Security Standard, which includes a mandate for stateful inspection firewalls. Cybersecurity hearing highlights inadequacy of PCI DSS: Lawmakers call the PCI standard lacking and seek significant improvements to the payment processing infrastructure to enhance security. RBS WorldPay regains spot on Visa's PCI compliance list: Payment processor returns to Visa's list of service providers that are compliant with the PCI Data Security Standard.

MasterCard estimates fewer than 2,000 merchants will be directly affected by the revised rules. The onsite assessment must be conducted by a Qualified Security Assessor; the PCI Security Standards Council governs training and approval of QSAs.

Diana Kelley, founder and partner at consulting firm SecurityCurve, said onsite assessment aren't cheap; prices vary significantly depending on the number of locations that need to be assessed.

"Even though it's going to cost Level 2s money -- and most likely time too -- I think it makes sense to have them go through an on-site independent assessment," she said. "Self-assessment is fairly tricky. It's easy to overlook something significant in your own environment."

Indeed, when VeriSign QSAs are called in to review a self-assessment questionnaire (SAQ), they find a lot of mistakes, said Branden Williams, PCI practice director at VeriSign Inc.

"They just don't have the experience and don't really know how to answer some of the questions," he said. "And it can cause companies to spend a lot more money on remediation than they need to."

Some merchants are fighting the change, Williams said, but he called it a smart move by MasterCard. Many Level 2 merchants are actually large companies and many are household names, he said.

Visa Inc., however, is not planning similar changes in its PCI compliance requirements. In a statement released Friday, the San Francisco-based company said it believes its "approach to compliance validation provides large merchants greater flexibility to choose the validation method that best works for their business, while also driving the payments industry towards greater data security.

SearchSecurity radio:

"Through a combination of incentives, fines, training and resources, Visa has created a risk-based compliance framework that is responsive to merchant needs and encourages ongoing vigilance in data security," Visa continued. "Mandating on-site assessments for all Level 2 merchants may introduce potentially unnecessary costs to merchants in an already challenging business environment, without a demonstrated increase in security. While Visa always encourages merchants to invest in objective, third-party reviews, the industry must recognize and support merchants with the internal capabilities and expertise to conduct thorough self assessments."

Chris Mark, CEO and president of consulting firm The Aegenis Group Inc., also criticized MasterCard's added requirement. He noted in a blog post that all the companies involved in the five largest breaches had been assessed or were in the process of being assessed by a QSA.

"One has to question the value of requiring more merchants to engage QSAs when the anecdotal evidence suggests the use of a QSA does not appreciably reduce the likelihood of a breach," he wrote.

VeriSign's Williams said Level 2 merchants should have a PCI QSA conduct a basic readiness assessment to see how accurately they've answered the SAQ and whether they're working on the most appropriate version of the SAQ for their business. Work needs to start now in order to have time for any remediation and to meet the compliance deadline, he said.

MasterCard's new requirements ultimately put more pressure on the PCI SSC to focus on QSA quality assurance, Williams said. "Everyone knows there's good and bad QSAs," he said.

The PCI SSC launched a quality assurance program for QSAs last fall and notes in its list of QSAs firms that are in remediation for violating applicable QSA validation requirements.

Tags: PCI Data Security Standard,  IT Security Audits,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI Data Security Standard New data protection laws No major PCI DSS revision expected in 2010 PCI QSAs, certifications to get new scrutiny The future of PCI DSS encryption requirements? Tokenization for PCI MasterCard reverses PCI compliance requirement PCI DSS compliance help: Using frameworks, technology to aid efforts Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization IT Security Audits Compliance strategy: How to become an internal IT auditor A guide to internal and external network security auditing Standards compliance does not equal sound information security risk management Tony Spinelli: Prioritize Information Security over Compliance How to prepare for a FERPA audit How to select a set of network security audit guidelines How to write a risk methodology that blends business, security needs PCI compliance requirement 11: Testing Using IAM tools to improve compliance Forensic accounting success depends on information security support

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary