Thursday, December 17, 2009

MasterCard Revises L2 Validation Requirements

If your school has any Level 2 merchants, you might benefit from changes in MasterCard’s merchant level definitions (see here).

If you have a Level 2 merchant for Visa, they are also L2 for MasterCard. Under MasterCard's rules introduced this summer, L2s will need to complete an onsite assessment by a QSA. The original deadline was December 31, 2010.

As of yesterday, the new effective date is June 30, 2011.
MasterCard is allowing 6 more months for Level 2 merchants and their processors to make the transition.

There's more.

The original requirement was for a QSA to prepare a Report on Compliance (ROC), but that, too, has been modified to give you an option of using your Internal Audit staff provided:
“[T]hat primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC-offered merchant training programs and pass any PCI SSC associated accreditation program annually in order to continue to use internal auditors.”

This means that while Level 2 merchants need an onsite assessment, they have the of using their Council-trained internal audit staff to conduct their onsite assessment if they choose.

The good news is MasterCard cut some major slack by moving back the effective date 6 months, and they re-instituted the option of having internal audit staff conduct the onsite.

I still have some open questions, and I'll continue to follow developments. For example:

  • If an internal auditor performs the onsite, must they follow the same guidelines as a QSA in preparing the ROC?

  • Can an internal auditor use an SAQ or even a simplified SAQ? The wording on the website is unclear.

  • Will the Council review internal auditors’ ROCs (or SAQs) as they do with QSAs?

  • Will Visa implement similar requirements?

I personally give lots of credit to MasterCard for listening to merchants (they didn't have to!) and being willing to respond to the needs of merchants and acquirers by extending the deadline. At least they gave more time for L2 merchants to respond and gave them the option of using their internal audit staff.

Now it is up to merchants and their acquirers to implement the changes smoothly.

Wednesday, December 16, 2009

Attack of the Christmas Greeting Cards

The following warning appeared on the SANS Storm Center. Ignore it at your peril!

With the holiday season upon us, lots of folks (me included) have elected to send online greeting cards instead of using traditional paper cards, "saving" the carbon and emissions footprint involved in traditional mail services (not that email is carbon free or anything, but that's a whole other discussion).

Just a word of warning - as happens every year, fake greeting cards are being circulated via email, with malware payloads attached. We got our first reader email on this today, Daniel received a greeting card with a ".net" at the tail end of a legitimate domain. The attackers even went to the trouble of making their site look like the real one! These attacks use more sophisticated phishing techniques every year, and the malware payloads are of course also more difficult to detect each time.

So if you get a greeting card, even if it's from someone you know, be sure that the link you click is taking you where you expect to go. Check that the link is to a reputable greeting card site, and that it doesn't have "extra" characters at the end, that would indicate you are going someplace else entirely. Even better, "don't click that link!" - copy and paste it into your browser rather than clicking it directly, that way you have that much more assurance that you know where you are browsing to.

Have a safe, malware-free holiday everyone !

Tuesday, December 15, 2009

New PCI Column

Those of you who know me know that I have written a number of articles for publication in addition to this Higher Ed PCI blog. This is to let you know that I have started writing a weekly (eek!) PCI column for

My premier effort was this column on in-scope vs. out-of-scope data for PCI. It followed an interview I did the previous week. I've since written about MasterCard's new validation requirements for L2 merchants, and travel/purchasing cards. This week's column should be out soon.

I hope you'll add SFBT to your bookmarks or RSS feed. Evan Schuman covers a range of retail-focused card issues, many of which apply to Higher Ed, too. And besides, it gives you another chance to take shots at me and/or my opinions!

I am taking over for good friend Dave Taylor who passed away so suddenly and so unexpectedly last month. Dave set a very high standard for the weekly PCI column, and I will try my best to keep up. In my own way, this is sort of a continuing tribute to Dave.

Meanwhile, everything will continue as usual here at the Treasury Institute blog. Wish me luck!

Thursday, December 10, 2009

The PCI Knowledge Base Continues

As most of you know, David Taylor, founder of the PCI Knowledge Base, died this past October. His work, the PCI Knowledge Base lives on. The website and discusison forums are continuing. Stop by. Search some of the great webinars and check out the continuing flow of new content. And stay tuned for additional developments.

Friday, December 4, 2009

PCI a Discount!

Good friend Anton Chuvakin (aka, Security Warrior) along with co-author Branden Williams have released their book "PCI Compliance." If you go to Anton's website (click here) you will see a discount code good for 30% off the price and a link to the website to purchase a copy.

I haven't seen the book, but I have my own copy coming. Given the experience and expertise of the authors, it's a can't miss.

Tuesday, December 1, 2009

PCI Council Webinar Next Week Open to All

The PCI Security Standards Council is inviting all payment industry stakeholders -- yes, that includes YOU -- to attend their next “Open Mic” webinar. Typically, these sessions are reserved for Participating Organizations, but (maybe as a holiday present?) the Council is making this one open to all.

The two webinars will held on Tuesday December 8 at 3:00 p.m. ET and Wednesday, December 9 at 11:00 a.m. ET. PCI SSC General Manager Bob Russo will host the session providing a brief update on PCI SSC initiatives, followed by a live Q&A session. The update will cover the Community Meeting, next steps in the lifecycle process to revise and update the DSS, and some recently published resources on the Council's website.

To register for the Tuesday, December 8 session, use this link.

To register for the Wednesday, December 9 session, use this link.

I hope a lot of you will register and attend one of (both?) these webinars. I'd like to encourage the Council's commendable efforts to reach out to the broader PCI community beyond just the Participating Organizations.