padss 300x200 MasterCard announces Changes to Level 1 and Level 2 PCI DSS RequirementsIn a move that is sure to cause headaches amongst IT staff and Execs, Mastercard has decided to tighten the reigns further in their never ending quest to secure people”s credit card data.

By December 31, 2010 and on a going forward basis, all level 1 and 2 merchants must validate PCI DSS compliance via an annual onsite assessment conducted by a PCI Security Standards Council (PCI SSC) certified Qualified Security Assessor (QSA).  Level 1 merchants who previously conducted onsite assessments using internal resources will no longer be permitted to do so.  Level 2 merchants who were previously permitted to validate via a Self Assessment Questionnaire (SAQ) must now also begin validating with an onsite assessment by a QSA.  All level 1 and 2 merchants must submit a fully compliant Report on Compliance (ROC) from their QSA by December 31, 2010.

While this is surely a boon to the Network Security consulting industry, its a move that is going to cost alot of companies a great deal of money. Previously, Level 2 merchants were only required to submit to a quarterly external network scan Verwijzingen naar het spel zijn te vinden casino online in La la roulette – een roman van Jacques Lable – waar 2 sleuven aan de bank (het huis) werden toegeschreven. and a yearly self-assessment questionnaire.  Now, they, like Level 1 merchants, must have a yearly onsite assessment performed.  For many companies, depending on the size, this are going to be in depth audits that may force them to change man of the ways they do business.

PCI-DSS, unfortunately, is a useless standard. Companies should perform best practices, and if they don”t, they should pay for it.  The fact that they have to be beaten into submission through scans, audits, and fines is silly. All of the recent major breaches of credit card data were all from PCI certified companies. So what does that tell us?

Here”s a great article about some of the problems with the PCI standard:

http://securitybuddha.com/2007/03/23/the-problems-with-the-pci-data-security-standard-part-1/