Verisign has cautioned that certain businesses can expect to have to spend more time and money on PCI compliance, as a result of changes being brought in by MasterCard.
MasterCard, one of the founding members of the PCI Security Standards Council, last week announced a change in the way businesses managed their Site Data Protection programmes. It now mandates that most merchants call in a PCI-approved auditor to complete an annual onsite data security assessment. Other merchants that were previously self-assessing may not be able to self assess anymore.
Branden Williams, PCI practice director at VeriSign said, “This is a dramatic change from the current, industry wide requirement of self-assessing for merchants processing less than six million transactions annually, and allowing merchants that process more than six million transactions annually to self assess if they choose.”
The change is not necessarily a bad thing, however, Williams has suggested. “It can only be a good thing for the industry. Often when we’re called in to review a self-assessment, we find a lot of mistakes. On top of this, it can cause companies to spend a lot more money on remediation than they need to”
The new rules, which will not go into effect until December 31 2010, have apparently been implemented with the aim of ensuring consistency of the PCI data security standard requirements.
These are a set of guidelines intended to enhance payment account data security. They were developed by American Express, Discover Financial Services, JCB International, MasterCard and Visa and include measures to protect customer account data.
The requirements touch security management, policies, procedures, network architecture and software design.
Validation of compliance can be performed either internally or externally, depending on the volume of card transactions the organisation is handling, but regardless of the size of the organisation, compliance must be assessed annually.
Cynics say that a merchant can be PCI-compliant and yet still be insecure. There is a list of companies that have had security breaches while being registered as PCI DSS compliant.
One of the biggest breaches was that of the Heartland payment service provider last year. Malicious software injected into the payment processing network of the US credit-card processing company could have led to one of the biggest data breaches ever reported. As a business that handles 100 million card transactions every month for 175,000 merchants, potentially tens of millions of credit and debit card transactions could have been compromised.
Verisign’s Williams said, “While some merchants are fighting the change it seems to be a smart move by MasterCard. Ultimately these new requirements put more pressure on the PCI, to focus on quality assurance.”