MasterCard beefs up security requirements
In a move that is unlikely to sit well with many merchants, MasterCard has quietly changed a key security requirement for all businesses handling between 1 million and 6 million card transactions annually.
Staring Dec 31, 2010 companies that fall into this category, called Level 2, will be required to undergo an onsite review of their security controls by a MasterCard approved third-party assessor.
Presently, such merchants are only required to fill out a self assessment evaluating their compliance with MasterCard's Site Data Protection requirements. It's only the Level 1 merchants -- those processing more than 6 million cards annually -- that are currently required to do on-site assessments.
It is unclear immediately what might have prompted the change on MasterCard's part. Requests for comment from MasterCard were not returned.
MasterCard, Visa and the other major credit card companies currently require all companies that accept payment card transactions to comply with security requirements called the Payment Card Industry Data Security Standard, or PCI DSS. But each has its own standards for assessing compliance with PCI requirements.
The change marks one of the few instances where Mastercard has issued a security mandate ahead of Visa, which has generally been the most aggressive proponent of PCI.
Jim Huguelet, an independent PCI consultant in Bolingbrook, IL., said, "It remains to be seen if this represents a new trend of leadership on the part of MasterCard, and if not what specifically prompted MasterCard to make this change at this point in time."
The new rule looms at a time when there is a shortage of assessors to do on-site security assessments, Huguelet said. "I think one of the greatest impacts, if this is enforced, is increasing the demand for qualified security assessors," he said. "This will only further exacerbate the situation."
MasterCard's Web site still lists Level 2 merchants as requiring a self-assessment annually, Huguelet noted. "The industry needs an explanation as to what this means in practiceas having an audit by a qualified security assessor and completing a self-assessment would tend to be mutually exclusive," he said.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
security
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
