Sunday, September 13, 2009

MasterCard's Security Changes and its impact on PCI Compliance

Over the past few months, MasterCard has made some major security changes that, seemingly, will impact PCI compliance now and in the future for quite a number of businesses.

First, MasterCard advised all Level 2 merchants (those processing between 1 - 6 million payments cards annually) that Self-Assessment questionnaires would no longer be sufficient for compliance; thus, Level 2 merchants would now be required to have a third-party perform an on-site assessment. This new change "can cost $10,000 - $30,000 per year for a merchant already PCI-compliant and more for a retailer meeting the standard for the first time."

Not too surprisingly, merchants are looking for alternative payment methods (i.e. PayPal) in order to reduce the number of card transactions.

MasterCard, with their second big security change, has decided to disallow merchants' use of RKI (remote key injection) services to install new encryption keys on POS systems. This new rule by MasterCard jeopardizes the on-going Triple DES compliance efforts for all POS terminals: merchants have until July 2010 to upgrade their POS terminals from DES to Triple DES. If this upgrade now has to be done manually, as opposed to automatically with RKI, it could make meeting the July 2010 deadline quite difficult for businesses with a large number of POS terminals.


Post a Comment

<< Home