MasterCard adjusts PCI compliance requirements

MasterCard adjusts PCI compliance requirements

Tags:   IT Security Audits  Mastercard  PCI Data Security Standard

By Marcia Savage | Jul 1, 2009

A recent change in MasterCard Inc's PCI compliance requirements means merchants processing between one million and six million transactions annually will likely have to spend more time and money on PCI compliance.

Under the new rules, Level 2 merchants must hire a PCI-approved auditor to complete an annual onsite data security assessment by Dec. 31, 2010. Previously, those merchants were only required to complete an annual self-assessment questionnaire in order to comply with MasterCard's Site Data Protection Program. The Payment Card Industry Data Security Standard (PCI DSS) forms the baseline for MasterCard's Site Data Protection Program.

The changes were announced in MasterCard's Global Security Bulletin on June 15 and distributed to MasterCard acquirers and processors, according to Chris Monteiro, spokesman for the Purchase, N.Y.-based company.

"The current enhancement of validation requirements for PCI compliance provides for independent third-party review, enabling consistency of application and implementation of DSS requirements," Monteiro wrote in an email.

MasterCard estimates fewer than 2,000 merchants will be directly affected by the revised rules. The onsite assessment must be conducted by a Qualified Security Assessor; the PCI Security Standards Council governs training and approval of QSAs.

Diana Kelley, founder and partner at consulting firm SecurityCurve, said onsite assessment aren't cheap; prices vary significantly depending on the number of locations that need to be assessed.

"Even though it's going to cost Level 2s money -- and most likely time too -- I think it makes sense to have them go through an on-site independent assessment," she said. "Self-assessment is fairly tricky. It's easy to overlook something significant in your own environment."

Indeed, when VeriSign QSAs are called in to review a self-assessment questionnaire (SAQ), they find a lot of mistakes, said Branden Williams, PCI practice director at VeriSign Inc.

"They just don't have the experience and don't really know how to answer some of the questions," he said. "And it can cause companies to spend a lot more money on remediation than they need to."

 
 
12

Similar

Related Articles

Add comment

Post a Comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <img /> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <embed> <object> <strike> <caption>
  • Lines and paragraphs break automatically.
  • Use <!--pagebreak--> to create page breaks.

More information about formatting options

 

Similar

Related Articles

knowledge_central_tab

 
 
Knowledge Central
Staying a step ahead of hackers new
Organizations are relying more and more on Web applications as a primary means of doing business. As the number and complexity of Web applications grow, so does the number of vulnerabilities introduced into your Web environment. Unfortunately, this makes you very attractive to hackers.
Outlook: Emerging security technology trends
As part of an ongoing discussion from IBM, this white paper helps us to gain a perspective on the security challenges organizations will face in the next few years. What fundamental technology trends are expected to impact organizations this and the following years? And how can organizations position themselves to profit from the myriad opportunities while managing the risk that inevitably accompanies them?
 
 
 
Hong Leong Financial opts for Juniper Networks at new Malaysia head office, data center
Hong Leong Financial Group Berhad builds complete and seamless data center and office network infrastructure with Juniper switches, security devices and Junos software.
Budget-conscious NGO cuts costs and improves IT productivity with Symantec
St James' Settlement reduces staff time spent on data protection administration by 80% and on software inventories by almost 100%.
 
 
 

Recent popular content

Most Read
Internet Explorer vulnerabities cause data leakage
Tripwire steps into SIEM territory
Microsoft expands SDL program
What to do with Microsoft SMB2 vulnerability
Following up with networking penetration tests

Site map
Search Security Asia
About Us
Print/Digital Subscription
Sales
Feedback
Security Tips
Expert Opinions
Research
White Papers
Case Studies

Blogs
Topics
Application security
Disaster recovery and business continuity
Identity management and access control
Information security careers, training and certifications
Topics
Network and Internet Security
Security best practices
Security threats
Surveillance and facilities management
Media
Videos
Podcasts
Webcasts
News
RSS