June 19, 2009

MasterCard Tightens PCI Compliance Requirements

Level 2 merchants are required to undergo on-site audits for PCI compliance

MasterCard issued new requirements for PCI compliance for Level 2 merchants -- they will soon be required to do an annual on-site audit. This used to be a requirement for Level 1 merchants only. Level 1 merchants are retailers doing more than 6 million credit card transactions a year where as Level 2 merchants do between 1 million and 6 million transactions. The requirements go into effect on December 31, 2010.

MasterCard's intentions are good, as they are trying to ensure retailers have better controls. However, I still believe that instead of creating more bureacracy and audits, we need to focus more on looking at the requirements of the PCI standard and clarifying what to do.

PCI Data Security Standard is a good thing and has raised awareness for security issues for the merchants. But most merchants, especially the smaller ones, are still confused on what to do.

Merchants who are attaining compliance out of fear are being lulled into a false sense of security by run-of-the-mill vendors who issue a certificate for a few hundred bucks. Here's my 5-step recommended plan for a better process on making sure that merchants get a tighter security for their infrastructure:

Education: Focus on educating merchants on different levels of security. Credit card companies should offer free Web seminars and courses to help merchants in basic security issues.
Clear rules: PCI concil should continue to work on clarifying the requirements and how to get compliant. The last version helped and hopefully we can keep simpifying the standard. For example, throwing an app firewall at the problem does not equal secure applications.
Subsidies: Credit card companies should provide subsidies for smaller merchants who can't afford to pay for security.
Focus on the Weakest link: With 80% of attacks happening through the Web applications, it's the weakest link. Yet, most of the focus of the standard is on network security.
Enforcement and positive reinforcement: With clear rules, subsidies, and education in place, there shouldn't be many excuses for merchants to not comply. Start enforcing by initial warning and then penalties. Give visibilty to the good merchants so they can increase their sales.

With over 250 million records stolen in 2008 alone, resulting in billions of dollars in losses, it's obvious that the current rules are not working. Something has to change. Period.

by
Mandeep Khera, CMO
Mandeep@cenzic.com

by Mandeep Khera

↑top

link to this

Post a Comment

Title:

Summary:

Comment:

Links:

Your info:

Name:		Required; will be displayed with comment.
E-mail:		Required (in case we need to contact you); will NOT be displayed with comment.
Web:		Optional; will use to hyperlink your name in the comment.
Twitter:		Optional; allows visitors to follow you on Twitter.
Save this in my browser

Verification:

Type the characters you see in the picture above.

Letters are case sensitive.

Notice: Your thoughtful opinions are valued and encouraged, but all comments are moderated so there will be a delay between the time you post your comment and when it appears in this site. Please don't be offended if your comment is edited for clarity or to avoid questionable matters. Offensive or off-topic comments will be deleted.