MasterCard Compliance and the Payment Card Industry Data Security Standards (PCI DSS)
In recent decades, fraud and identity theft have become major concerns worldwide because of the increasing threats they pose to individuals and organizations. The payment card industry was encouraged to take action in 2004 when MasterCard joined forces with Visa® to protect the most valuable commodity — information. The two companies created the Payment Card Industry Data Security Standards (PCI DSS) and were joined by the other major credit card companies (Discover®, American Express® and JBL International®) in 2006. Together they created the PCI Security Standards Council (PCI SSC) to act as a governing body to oversee the PCI DSS, the first bylaws to regulate the security of sensitive information including credit card numbers, expiration dates, names and addresses.
All Merchants Who Accept MasterCard Must Be PCI Compliant
The effectiveness of the PCI DSS has become increasingly apparent and is considered by MasterCard to be the gold standard in data security — as such all merchants who accept MasterCard must be PCI compliant. MasterCard has instituted its own internal program to support the work of the council and encourage compliance — the Site Data Protection (SDP) program. The program requires that merchants demonstrate PCI compliance using three essential tools to protect against a data security breach by identifying and fixing vulnerabilities in security processes and procedures.
1. Self-Assessment Questionnaire (SAQ)
The SAQ will lead you step by step through a complex inquiry process to determine how well you are meeting the data security standards and determine if your business is PCI compliant. If you are not in compliance, the SAQ will provide you with recommendations on how you can get compliant.
2. Compliance Auditing for Risk Assessment
An onsite risk assessment, also known as a compliance audit, is designed to help you identify any vulnerability in your credit card processing. A compliance audit must be conducted by a qualified security assessor approved by the PCI SSC due to the sensitive nature of credit card data.
3. Compliance Scanning
Regular testing through compliance scanning is one of the best ways to maintain security at the highest levels. PCI scans look for vulnerabilities that could leave you open to attack and potentially lead to a data security breach. These compliance scans which examine your networks, applications, databases and other systems can only be conducted by an approved scanning vendor.
MasterCard’s Four Steps to SDP Compliance
To make compliance easier, MasterCard has established a simple, four-step process for becoming SDP compliant.
- Identify your merchant level: PCI DSS outlines four levels of merchants, based on annual volume of payment transactions and potential risk.
- Review the compliance validation tools: The SAQ, compliance auditing and compliance scanning.
- Engage an approved vendor: Only a qualified security assessor is allowed to administer a compliance audit.
- Register: You must renew your registration annually, which means you must continue to maintain compliance.
The SDP Program, with the PCI DSS as its foundation, details the data security requirements and compliance validation requirements to protect stored and transmitted MasterCard payment account data. Once you have successfully completed the compliance process and received all supporting documentation, TransFirst® can register you with MasterCard.