MasterCard Becomes The First Card Brand To Publish PCI Fines
Written by Evan SchumanMasterCard has become the first card brand to publish its PCI fines and related requirements, a move that could be the latest signal that MasterCard wants to step out of the PCI shadow of its larger rival, Visa. The dollars themselves do not reflect a radical change, although they do include some healthy increases.
“The noncompliance assessment structure now contains escalating assessments per violation within a calendar year,” said the document sent to members earlier this summer. “Maximum assessments for initial noncompliance for Level 2 and Level 3 merchants have increased to $25,000 and $10,000, respectively. Furthermore, the $500,000 annual aggregate maximum for acquirer noncompliance assessments related to program noncompliance has been discontinued.”
As for those escalations, MasterCard has grouped Levels 1 and 2 together. The first violation for those groups is $25K, jumps to $50K for the second violation, $100K for the third violation and $200K for the fourth. Level 3 retailers face first through fourth violation fines of $10K, $20K, $40K and $80K. Service providers that are ranked either Level 1 or Level 2 will see first through fourth violation fines of $25K, $50K, $100K and $200K.
Terri Quinn-Andry, Cisco’s senior manager of PCI, said that she applauds MasterCard’s new found openness and said that she hopes the new fines will be effective. But does she truly think it will have an impact? “I think if they truly enforce the fine structure, that will make a difference,” she said. “Of course, we won’t know that until 2011.”
The document also confirmed reports of slightly more stringent rules for on-site assessments. “All Level 1 merchants that have engaged an internal auditor before 15 June 2009 must validate compliance with the PCI DSS via an annual onsite assessment conducted by a PCI SSC certified QSA by 31 December 2010,” the document said. “Effective 31 December 2010, all Level 2 merchants must complete an annual onsite assessment conducted by a PCI SSC certified QSA.”
The level 1 requirement had been merely that merchants’ internal auditor could perform the assessment.
-Dan Stiel
August 6th, 2009 at 7:34 am
I do not understand why an organization’s internal audit department cannot perform the assessment? Is it an independence issue? Is it a qualifications issue?
August 6th, 2009 at 10:52 am
James – it is both and more.
First, companies should be applying even more stringent security requirements than those required by PCI. They don’t – and the fact is they will always apply the lowest set of standards they can get away with because securing data costs money.
Secondly, it would be a conflict of interest to have a company performing it’s own security assesment. IMO, the SAQ is one of PCI’s greatest faults.
And lastly, the food industry has shown how well self-examination and certification programs work.
August 7th, 2009 at 9:12 am
Well said Sean, you hit the nail on the head.
August 7th, 2009 at 9:14 am
Notwithstanding the need for independent “3rd party” assessments, I find the interpretation of many of the PCI DSS requirements to be subjective depending on which QSA is rendering an opinion. In many cases we’ve received a favourable opinion from one QSA and a contradictory opinion from another. The merchant is left pondering the futility of it all.
August 7th, 2009 at 9:34 am
Despite the sensibility of PCI standards normalization across card brands, it seems that most can’t resist maintaining something unique. Which, in the end, complicates matters.
I also agree with Terri Quinn-Andry, it’s nice to see some openness from MasterCard.
August 7th, 2009 at 12:10 pm
In many other professions, medical, legal and professional engineering to name a few, second opinions and differences of opinions are the norm. The folks at the PCI Security Standards Council insist that each Qualified Security Assessor weigh the exact circumstances and render their own opinion. I think this is exactly the way it should be. Only the QSA has enough information at hand to render an opinion. Of course, just like doctors and lawyers, QSAs are human and have different interpretations of the same information. In the end, I think merchants benefit from this. There is more than one secure (and many insecure) implementation in most cases and this affords the merchant greater flexibility.
August 7th, 2009 at 1:24 pm
@steve –
Unlike doctors, lawyers and legal professionals there are no enforced minimum standards of education and training for QSA’s. 2 days “training” and an open book exam does not equate to a professional opinion.
The supposed 5 years previous experience is not checked out by anybody. No previous audit experience or qualification is required. Your securty experience could have been doing literally anyting – I know an AV analyst of 3 years experience who is now a QSA.
The scheme is absolute junk for that reasons and more..
August 7th, 2009 at 6:34 pm
As a QSA, with numerous years in audit and security experience , I can speak from a position of authority on this subject. What I find difficult is that the card brands provide all the data in clear text to begin with and then put the onus of responsibility to protect it on the same person who is selling you the ice cream. If the card brands truly wish to protect their data, then they should change to architecture which the card processing is built on (via strong encryption, salted hash value, one time card numbers, etc) …. And own the process of protecting the data themselves, rather than relying on the shoe, clothing store or local restaurant. Lets not forget who actually owns the data here… its not the merchant or service provider. The card brands need to take ownership.
August 11th, 2009 at 8:00 am
I certainly support the standards approach and the attempt from the industry to self-regulate. Unfortunately, the ‘bad guys’ always seem to be one step ahead. Matter of point: the major breaches that have hit the press over the past few years have been attacks on ‘PCI Certified / Compliant’ organizations.
August 24th, 2009 at 8:40 pm
I agree with Jeff Wilder. The current system is fundamentally flawed. It is based on the idea of keeping a plain text number secret; a number which you must share with everyone you do business with. In a typically e-commerce transaction, the card data could be stolen by a virus/keylogger on the consumers computer, a packet sniffer on a compromised network, from a compromised web server, from a compromised card processor, from a compromised internal system at the merchant, by a dishonest employee, etc. The idea that PCI compliance will change anything is unrealistic.
The card companies are deflecting the responsibilty to the merchants instead of fixing the problem. The system needs to be changed.
December 31st, 2009 at 3:30 pm
I don’t understand how you can do a risk assessment involving PCI unless fines are published and transparent. I have been relying on the word of QSAs to get this information but that is a BS way to get this basic kind of information.
ALL fines and sanctions regarding PCI noncompliance/breach need to be on the http://www.pcisecuritystandards.org site- PERIOD