June 18, 2009, 9:34 PM — In a move that is unlikely to sit well with many merchants, MasterCard has quietly changed a key security requirement for all businesses handling between 1 million and 6 million card transactions annually.
Staring Dec 31, 2010 companies that fall into this category, called Level 2, will be required to undergo an onsite review of their security controls by a MasterCard approved third-party assessor.
Presently, such merchants are only required to fill out a self assessment evaluating their compliance with MasterCard's Site Data Protection requirements. It's only the Level 1 merchants -- those processing more than 6 million cards annually -- that are currently required to do on-site assessments.
It is unclear immediately what might have prompted the change on MasterCard's part. Requests for comment from MasterCard were not returned.
MasterCard, Visa and the other major credit card companies currently require all companies that accept payment card transactions to comply with security requirements called the Payment Card Industry Data Security Standard, or PCI DSS. But each has its own standards for assessing compliance with PCI requirements.
The change marks one of the few instances where Mastercard has issued a security mandate ahead of Visa, which has generally been the most aggressive proponent of PCI.
Jim Huguelet, an independent PCI consultant in Bolingbrook, IL., said, "It remains to be seen if this represents a new trend of leadership on the part of MasterCard, and if not what specifically prompted MasterCard to make this change at this point in time."
The new rule looms at a time when there is a shortage of assessors to do on-site security assessments, Huguelet said. "I think one of the greatest impacts, if this is enforced, is increasing the demand for qualified security assessors," he said. "This will only further exacerbate the situation."
MasterCard's Web site still lists Level 2 merchants as requiring a self-assessment annually, Huguelet noted. "The industry needs an explanation as to what this means in practiceas having an audit by a qualified security assessor and completing a self-assessment would tend to be mutually exclusive," he said.
Avivah Litan, an analyst at Gartner Inc., said the timing of MasterCard's move is poor because it comes even as there is growing concern about the quality of the existing base of third-party assessors in the payment industry.
Until measures are taken to ensure better quality and standardization of third-party assessors and assessment practices, there appears to be little that is gained by requiring Level 2 merchants to undergo on-site evaluations, Litan said.
That many approved third-party security assessors in the payment industry sell security products as well as services is troubling and needs to be addressed before the use of such assessors is widened, she said.
Litan said there is no evidence that the new requirement, which will impose extra costs on an estimated 3,000 Level 2 merchants, is justified. "It would be one thing if they had a great set of assessors. They don't," she said.