Headlines | Branden R. Williams, Business Security Specialist

MasterCard to Fine Merchants for Non Compliance standard

OK, SOMEONE out there has some explaining to do. Like, right now. Who poked MasterCard hard enough to wake them from hibernation? When it comes to actions against merchants, MasterCard has typically been much quieter than Visa. We’ve had several customers come to us with new fines from MasterCard that will begin sometime in the next 18-21 months beginning NOW. Why the ambiguity? None of our customers seem to have a date when the fines start! This is a huge assumption here, but I will suggest that the fines would start after the 2010 deadlines for Level 1 & 2 merchants. Revisiting those deadlines, Level 1 & 2 merchants must produce a Report on Compliance from a QSA by December ...

Guest Post: HITECH Alters HIPAA—Will HIPAA be ‘Hip’? standard

The following is a guest post by Bindu Sundaresan, a consulting manager in our Risk & Compliance consulting practice. With the current “non-stimulating” economy, there is a lot of talk about the “stimulus” bill which is impacting all areas of the US economy. One such impact is the reason for today’s blog post. A portion of the new economic stimulus bill, called the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), will have a significant impact on Health Insurance Portability and Accountability Act of 1996(HIPAA). This new law revives HIPAA (which has been around for over a decade), but has many a time gone unnoticed/ not strongly enforced, and no incentive to comply, amongst the other ...

The Final Word on MasterCard’s New Levels standard

It’s been a little over a week now since MasterCard tool the PCI world by surprise and changed their reporting requirements for Level 2 merchants. Whether you are currently a Level 1 or Level 2 merchant, these changes affect you. Here’s the summary and rundown. MasterCard posted a change to their Site Data Protection program that requires Level 2 merchants to use a QSA and perform an on-site assessment before December 31, 2010. In addition, Level 1 merchants that were previously self-assessing may not self assess anymore, and must use a QSA for their PCI Assessments. This is a dramatic change from the current, industry wide requirement of self-assessing for merchants processing less than six million transactions annually, and allowing ...

Much Ado About Nothing, Merrick v. Savvis Update standard

Don’t write Savvis off yet! Dave Navetta posted an update to the Merrick v. Savvis case that every QSA is closely watching. Savvis filed a motion to dismiss in response to the lawsuit. I’m not a lawyer, but I’m glad David is. He explains the reasoning, and even mentions that Merrick’s potential procedural error (or end-around) could get this case dismissed before the substantive merits of the case can be explored, thus continuing to leave the world in the dark about more potential liabilities involved with performing PCI Assessments. Go check it out! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to ...

Clarification on MasterCard Level 2 Requirements standard

Javelin Strategy & Research posted an update to the new MasterCard Requirements. After speaking with John Verdeschi, Robert Vamosi pointed out an error in our initial analysis. After re-reading my material, I looked at one piece of information and made a leap (incorrectly) about the intent (see the final word here). John clarified that the intent is to use the next eighteen months as a transition period. Level 2 merchants should both submit a SAQ, and also have an On-Site assessment completed so they can submit a Report on Compliance by December 31, 2010. This means that Level 2 Merchants effectively have eighteen months to complete a readiness assessment, remediate, and validate compliance. Sorry for the confusion folks, and thank ...

Nevada’s New PCI Law standard

You’ve probably heard about it by now. Thanks to a friend doing business in Nevada, I was alerted to this new law last week. Nevada is now the second state to enact laws requiring companies to comply with PCI (though, arguably, the Massachusetts Identity Theft Prevention Regulations seemed to have been lifted at a high level from PCI), the first being Minnesota. David Navetta has a great analysis from a legal perspective, and Chris Mark published his thoughts as well. One thing that is interesting about the Nevada law is an apparent Safe Harbor provision. Will this added pressure force more religious views on payment security and compliance inside companies? Or will companies continue to roll the dice with their ...

More on MasterCard’s Level 2 Change standard

On Wednesday, we discussed MasterCard’s new requirement for Level 2 merchants to have an on-site assessment performed instead of submitting the Self-Assessment Questionnaire (see the final word here). This news prompted a flurry of information around the new requirement and has merchants asking lots of questions. I clarified a couple of items from my last post and wanted to make sure they were clear. MasterCard’s 2010 deadline is more of an end to submitting SAQs as opposed to a deadline to be validated by a QSA. This means that Level 2 merchants will continue to be able to submit SAQs until December 31, 2010, after which they will need to have the on-site assessment, performed by a QSA. The On-Site ...

NEWS FLASH: MasterCard Requires On-Site QSA for Level 2 Merchants standard

Thanks to Smiley for the tip! See the final word here. MasterCard has posted a change to their Site Data Protection program that requires Level 2 merchants to use a QSA and an on-site assessment. This is a dramatic change from the current, industry wide requirement of self-assessing for merchants processing less than six million transactions annually. While this is definitely going to put a dent in Level 2 merchant budgets from this point on, I truly believe that this is a smart move by MasterCard. Level 2 merchants are extremely significant in size, many of which being household names. Unfortunately, PCI self-assessments are typically poorly handled simply due to the complexity of the standard and lack of training provided ...

Jeez, you guys crack me up. standard

I hate to be a cynic. OK, fine. SOMETIMES I get secret enjoyment out of being a cynic. Kind of like the enjoyment of making fun of someone in a way that they don’t know they are being made fun of. Or that satisfaction of eating candy from your kid’s Halloween stash knowing they will never miss it (unless your kid is Ms. KJ… you know who you are, you little Halloween candy auditor you…). The NRF and others “ganged up” on PCI yesterday by sending a letter demanding easier treatment under the standard. I understand the intent, and applaud them for sending the letter across. While there may be a valid point or two buried in there, I think ...

Debating PCI, and the Story of the Unresearched Position standard

Do you remember debate or speech class? I remember having a professor assign me the counterpoint position on an issue in which I didn’t agree. I always thought that the other guy had it easy if our beliefs were the same because he already believed what he was saying. I recently read an article by Ariel Silverstone in CSO Magazine entitled “Where PCI DSS Still Falls Short (and How to Make it Better)” in which Ariel seems to have been put in a similar situation. Either she was asked to publish something (anything), or asked to specifically publish something on PCI; regardless, she should have spent a little bit more time on research than she did. After reading her positions, ...

Categories ArchivesHeadlines