The playing field isn’t level anymore
By Daniel Cuthbert, June 19th, 2009.
MasterCard has dropped a bombshell on the PCI community by announcing (http://www.mastercard.com/us/sdp/merchants/merchant_levels.html) that they have changed their Site Data Protection Program. Level 2 merchants now need to make use of a QSA (Qualified Security Assessor) and have an on-site assessment.
Previously Level 2 merchants were only required to complete an annual PCI Self-Assessment questionnaire and have a quarterly network scan performed. Granted this approach was rather flawed as many failed to answer the questionnaire correctly.
Anything that forces companies to adopt a more stringent security stance is welcomed by Corsaire, but one begs the question as to why none of the other credit card companies have joined MasterCard in this announcement.
The PCI standard has had a hard enough time convincing the industry that it is a serious enough standard, with constantly slipping deadlines for compliance and now mixed messages from the card vendors. You’d be forgiven for thinking that the cracks are no longer hairline but more serious than previously thought.
In addition, with certain QSAs being sued (see http://www.wired.com/threatlevel/2009/06/auditor_sued/ and also http://infoseccompliance.com/2009/06/03/merrick-bank-v-savvis-analysis-of-the-merrick-bank-complaint/) by companies they had previously given the green compliance light to, it makes for an interesting future.
With the economic downturn and this new costly enforcement, will Level 2 merchants look to jump ship and change credit card brands that don’t enforce this new approach, or will the rest of the house get its cards in order in time?
