Categories ArchivesHeadlines

Clarification on MasterCard Level 2 Requirements standard

Javelin Strategy & Research posted an update to the new MasterCard Requirements. After speaking with John Verdeschi, Robert Vamosi pointed out an error in our initial analysis. After re-reading my material, I looked at one piece of information and made a leap (incorrectly) about the intent (see the final word here). John clarified that the intent is to use the next eighteen months as a transition period. Level 2 merchants should both submit a SAQ, and also have an On-Site assessment completed so they can submit a Report on Compliance by December 31, 2010. This means that Level 2 Merchants effectively have eighteen months to complete a readiness assessment, remediate, and validate compliance. Sorry for the confusion folks, and thank ...

Continue Reading

Nevada’s New PCI Law standard

You’ve probably heard about it by now. Thanks to a friend doing business in Nevada, I was alerted to this new law last week. Nevada is now the second state to enact laws requiring companies to comply with PCI (though, arguably, the Massachusetts Identity Theft Prevention Regulations seemed to have been lifted at a high level from PCI), the first being Minnesota. David Navetta has a great analysis from a legal perspective, and Chris Mark published his thoughts as well. One thing that is interesting about the Nevada law is an apparent Safe Harbor provision. Will this added pressure force more religious views on payment security and compliance inside companies? Or will companies continue to roll the dice with their ...

Continue Reading

More on MasterCard’s Level 2 Change standard

On Wednesday, we discussed MasterCard’s new requirement for Level 2 merchants to have an on-site assessment performed instead of submitting the Self-Assessment Questionnaire (see the final word here).  This news prompted a flurry of information around the new requirement and has merchants asking lots of questions. I clarified a couple of items from my last post and wanted to make sure they were clear. MasterCard’s 2010 deadline is more of an end to submitting SAQs as opposed to a deadline to be validated by a QSA.  This means that Level 2 merchants will continue to be able to submit SAQs until December 31, 2010, after which they will need to have the on-site assessment, performed by a QSA. The On-Site ...

Continue Reading

NEWS FLASH: MasterCard Requires On-Site QSA for Level 2 Merchants standard

Thanks to Smiley for the tip!  See the final word here. MasterCard has posted a change to their Site Data Protection program that requires Level 2 merchants to use a QSA and an on-site assessment. This is a dramatic change from the current, industry wide requirement of self-assessing for merchants processing less than six million transactions annually. While this is definitely going to put a dent in Level 2 merchant budgets from this point on, I truly believe that this is a smart move by MasterCard. Level 2 merchants are extremely significant in size, many of which being household names. Unfortunately, PCI self-assessments are typically poorly handled simply due to the complexity of the standard and lack of training provided ...

Continue Reading

Jeez, you guys crack me up. standard

I hate to be a cynic. OK, fine. SOMETIMES I get secret enjoyment out of being a cynic. Kind of like the enjoyment of making fun of someone in a way that they don’t know they are being made fun of. Or that satisfaction of eating candy from your kid’s Halloween stash knowing they will never miss it (unless your kid is Ms. KJ… you know who you are, you little Halloween candy auditor you…). The NRF and others “ganged up” on PCI yesterday by sending a letter demanding easier treatment under the standard. I understand the intent, and applaud them for sending the letter across. While there may be a valid point or two buried in there, I think ...

Continue Reading

The Legal Risk around PCI standard

David Navetta published a fantastic article in this month’s ISSA Journal entitled, “Who is Minding the Legal Risk around PCI” that takes a deep dive into the legal ramifications of not complying with the standard. If you do not get the journal, first off, go join the ISSA! It comes free with your membership! In the meantime, jump over to David’s blog to read the article! Towards the latter part of the article, David lays out two very real risks that I have discussed many times in this blog such as QSA shopping, rubber stamping, and scoping. Enjoy, and have a great weekend! Possibly Related Posts: PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS ...

Continue Reading

Review of PCI Congressional Hearing standard

If you missed it, you can see a recording here! See what the Twitterverse had to say here by searching for #pcihearing. TONS of coverage on this. First, I am very proud of our congress for putting this hearing together. It is clear how serious this situation is when listening to the prepared, pointed statements read in the beginning. I hope I don’t make anyone upset, but I do giggle a little bit when non-techie folks trip up on techie terms. I certainly expect someone would giggle at me if I were reading a statement of detailed medical terms and missed the words. Regardless, huge props for taking the issue on. In the next paragraphs, clicking on the individual’s name ...

Continue Reading

Guest Post: Compliant Compromise standard

The following is a guest post by Frank Castaneira. Frank is a Sr. Consulting Manager inside the Global Security Consulting practice at VeriSign. Matt Hines recently wrote about the PCI Council discussions on applicability and adequacy of the PCI Standard given reported breaches of validated entities such as Hannaford and Heartland. Branden recently discussed the PCI Council conversation on March 6. Branden suggested greater visibility by the Council into the incident response process. This posting amplifies on that solution and provides other perspectives. The discussions mentioned in Mr. Hines article focused on the QSA (Qualified Security Assessor) posture that an annual on-site assessment is relevant only for that point in time. Although, I recognize the issue (point in time), my ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!