I’ve written before about how the Payment Card Industry’s (PCI) Data Security Standard (DSS) has some loopholes that make it easy to look “compliant” and therefore “secure. In order to comply with the DSS requirments, merchants can do one of three options:
1. their own self-assessment report signed -off on by a C-level management officer;
2. hire auditors to do a self-assessment and report the C-level can sign off on;
3. or hire an independent, PCI-accredited QSA firm to provide an independent assessment and report to their acquiring bank.
Consider that the QSA firm is required to have liability insurance, pay a hefty yearly fee to the Consortium and provide an independent assessment. Chances are the independent firm will work harder to make sure their report is accurate (given the stick that the PCI hangs over their heads of ultimate liability).
It costs merchants a lot more to have the report done independently, and they can’t hide security problems as easily. Just the fact that they have the do-it-yourself option in two out of three doesn’t give me confidence in their reporting. Any time organizations “self-assess,” there can be an enormous opportunity for fraud by the unscrupulous.
Interestingly enough, MasterCard has decided to remove the “self-serve” option from Level 2 vendors by December 31, 2010. Under the new rules, Level 2 merchants must hire a PCI-approved auditor to complete an annual on site data security assessment by Dec. 31, 2010.
Previously, those merchants were only required to complete an annual self-assessment questionnaire in order to comply with MasterCard’s Site Data Protection Program. The Payment Card Industry Data Security Standard (PCI DSS) forms the baseline for MasterCard’s Site Data Protection Program.
Will PCI’s DSS begin requiring it as well? Is this a move to test the waters? I hope so. Even though VISA says it has no plans to do so, the PCI standards board has a lot more power to remove poor QSA’s than try to assess an internal team.