140 likes | 294 Views
MasterCard Site Data Protection Program. Program Alignment. SDP Program Alignment . As announced to our membership in December 2004, the MasterCard SDP Program and the Visa CISP/AIS Program have aligned in the following areas:
E N D
MasterCard Site Data Protection Program Program Alignment
SDP Program Alignment • As announced to our membership in December 2004, the MasterCard SDP Program and the Visa CISP/AIS Program have aligned in the following areas: • common levels and participation criteria for merchants and service providers (U.S. and Europe) • cross recognition of qualified onsite assessors and compliant security scanning vendors (U.S. and Europe) • common security standard documentation (endorsed by Amex, Discover, JCB and Diners) • auditing procedures • scanning procedures • self-assessment/questionnaire
SDP Program Alignment - Merchants • Level 1 Merchants: effective 30 June 2005* • All merchants that have suffered a hack or an attack that resulted in an account data compromise and; • All MasterCard merchants (face-to-face, MOTO, e-commerce, Maestro, etc.), with greater than six million combined total transactions annually and; • All merchants that meet or exceed the level 1 criteria of a competing payment brand and; • Any merchant that MasterCard, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system • All Level 1 Merchants must successfully complete an annual onsite review (may be conducted through an internal auditor) and quarterly scans * All referenced compliance dates are unique to MasterCard
SDP Program Alignment – Merchants • Level 2 Merchants: effective 30 June 2004 (formerly Tier 1) • All merchants with annual e-commerce transactions between 150,000 and 6 million • All merchants that meet or exceed the Level 2 criteria of a competing payment brand • All Level 2 Merchants must successfully complete quarterly scans and an annual self-assessment
SDP Program Alignment – Merchants • Level 3 Merchants: effective 30 June 2005 (formerly Tier 2) • All merchants with annual e-commerce transactions between 20,000 and 150,000 • All merchants that meet or exceed the level 3 criteria of a competing payment brand • All Level 3 Merchants must successfully complete quarterly scans and an annual self-assessment • Level 4 Merchants: Optional • All other merchants are recommended to become compliant to reduce risk and gain access to a potential waiver against account data compromise assessments • Recommended compliance steps include an annual security scan and an annual self-assessment
SDP Program Alignment – Service Providers* • Level 1 Service Providers: • Effective 30 June 2004 (formerly Tier1) • All TPPs and DSEs that store data on behalf of Level 1 and 2 merchants must complete a scan and self-assessment • Effective 30 June 2005 • New requirement of an annual onsite review • Level 2 Service Providers: effective 30 June 2005 • All TPPs and DSEs that store data on behalf of Level 3 merchants must complete an onsite review and quarterly scans • Level 3 Service Providers: Optional *The term Service Provider collectively refers to Third Party Providers (TPPs) and Data Storage Entities (DSEs).
SDP Program Alignment – Technical Documentation The SDP Program now utilizes four common documents: • Payment Card Industry (PCI) Data Security Standard • developed by MasterCard and Visa • endorsed by Amex, Discover, Diners and JCB. • PCI Security Audit Procedures • PCI Security Scanning Procedures • PCI Self Assessment Questionnaire In addition to these PCI Standards, MasterCard also has published and maintains the following related documents: • Security Standard Applicable to Scanning Vendors • Electronic Commerce Architecture Best Practices
Vendor Cross-Recognition • Onsite reviewers • Visa will continue to qualify onsite reviewers globally through each Visa region • MasterCard requires that all onsite reviewers be qualified by Visa • Security Scanning Vendors • MasterCard will continue security scanning compliance testing on a global basis • Visa requires that all security scanning vendors successfully complete MasterCard compliance testing
MasterCard SDP Compliance Process for Members • Member Compliance Process • Members determine merchant and service provider compliance based on vendor recommendations/reports • SDP registrations via the Merchant Registration Program (MRP) • MRP is available to MasterCard members only • Accessed through a MasterCard subscription service called MasterCard Online (MOL) • Requires Members to annually register both merchants and service providers as compliant • Regular submission of SDP Status Forms • Non-compliance assessments
MasterCard SDP Compliance Processfor Merchants and Service Providers • Merchants and service providers are responsible for selecting a qualified onsite assessor and/or a compliant security scanning vendor • Vendors should provide reports directly to merchants and service providers • Merchants and service providers share those reports with Acquiring Members • Executive Summary reports or vendor letters of attestation are critical for acquirer compliance determination. For onsite audits, please consult regional Visa requirements regarding formal recommendations of compliance.
MasterCard SDP Compliance ProcessSelf-Assessment Questionnaire • Requirement for Level 2 and 3 merchants • 74 Questions organized according to the PCI standards 12 requirements • Merchants and service providers are not required to engage a vendor or use a vendor portal for completing the self-assessment • Vendors may choose to offer self-assessment services • Portal for completion • Remediation
Scan Vendor Compliance Testing Program:2005 Testing Scope • New version of the “Security Standard Applicable to Scanning Vendors” • Beginning April 2005, new sets of vulnerabilities to be identified during testing: • Wider variety of Operating Systems • New hardware platforms including non-Intel architectures • All major databases, application servers, latest web servers • Web application, as per the Open Web Application Security Project (OWASP) • Extension of testing to WLAN security (under investigation)
Scan Vendor Compliance Testing Program:2005 Service • Improved level of service • Start of an approval maintenance process • To ensure that tested scan solutions are kept current with latest vulnerabilities • Revalidation process to start in April 2005 • Vendors will progressively be called in to re-test their scanning solutions • Registration will include one test session • Additional 2 test sessions (max) subject to fee
MasterCard Support • For MasterCard support on: • Web site: https://sdp.mastercardintl.com • Vendor compliance testing: SDP_Vendor_Compliance@mastercard.com • SDP Program: sdp@mastercard.com • Vendor communications and business relationship management: tom_maxwell@mastercard.com