MasterCard beefs up security requirements
In a move that is unlikely to sit well with many merchants, MasterCard has quietly changed a key security requirement for all businesses handling between 1 million and 6 million card transactions annually.
Staring Dec 31, 2010 companies that fall into this category, called Level 2, will be required to undergo an onsite review of their security controls by a MasterCard approved third-party assessor.
Presently, such merchants are only required to fill out a self assessment evaluating their compliance with MasterCard's Site Data Protection requirements. It's only the Level 1 merchants -- those processing more than 6 million cards annually -- that are currently required to do on-site assessments.
It is unclear immediately what might have prompted the change on MasterCard's part. Requests for comment from MasterCard were not returned.
MasterCard, Visa and the other major credit card companies currently require all companies that accept payment card transactions to comply with security requirements called the Payment Card Industry Data Security Standard, or PCI DSS. But each has its own standards for assessing compliance with PCI requirements.
The change marks one of the few instances where Mastercard has issued a security mandate ahead of Visa, which has generally been the most aggressive proponent of PCI.
Jim Huguelet, an independent PCI consultant in Bolingbrook, IL., said, "It remains to be seen if this represents a new trend of leadership on the part of MasterCard, and if not what specifically prompted MasterCard to make this change at this point in time."
The new rule looms at a time when there is a shortage of assessors to do on-site security assessments, Huguelet said. "I think one of the greatest impacts, if this is enforced, is increasing the demand for qualified security assessors," he said. "This will only further exacerbate the situation."
MasterCard's Web site still lists Level 2 merchants as requiring a self-assessment annually, Huguelet noted. "The industry needs an explanation as to what this means in practiceas having an audit by a qualified security assessor and completing a self-assessment would tend to be mutually exclusive," he said.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
security
Powered by TwitterOn Twitter now
security
Brian Proffitt
Microsoft/Novell: Breaking Down the Coupon Numbers
Esther Schindler
Drupal's Dries Buytaert on Building the Next Drupal
Tom Henderson
Top Ten General Operating Systems Rants
pasmith
PS3 motion controller delayed; goes up against Project Natal
sjvn
Neolithic Windows security hole alive and well in Windows 7
claird
Perl source code comparison makes for good reading
mikelgan
Cell phones don't create stress or interrupt much
Sandra Henry-Stocker
How to: The Unix Interview
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
- Ubuntu advances: Why Ubuntu server installations will surge in 2010
- Social media marketing: How to make friends with benefits
- More...
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
