Getting MasterCard Compliant
The dawn of the Internet in the 1990s put a tremendous amount of information at the fingertips of the average individual. And while the information age has been a time of great opportunity, it is also fraught with peril. In less than 20 years, fraud and identity theft have become major concerns worldwide, creating a tremendous impact on the payment card industry.
A Short History of Data Protection
To combat the increasing threats posed by hackers, MasterCard joins forces with Visa to better protect the most valuable commodity of the new millennium – information. Together, the two companies create the Payment Card Industry Data Security Standards (PCI DSS).
The effectiveness of the PCI DSS has become increasingly apparent. The other major credit card companies (Discover, American Express and JBL International) join MasterCard and Visa in establishing a governing body to oversee the standards, giving birth to the PCI Security Standards Council.
MasterCard continues to value the PCI DSS as the gold standard in data security, and to that end requires all merchants who accept MasterCard to be PCI compliant. Since the creation of the PCI SSC, MasterCard has established its own internal program to support the work of the council and encourage compliance.
The PCI DSS were the first bylaws to regulate the security of sensitive information including
- credit card numbers
- expiration dates
SDP and PCI Compliance
MasterCard believes that the best way to protect against a data security breach is to protect credit card processing systems by identifying and fixing vulnerabilities in security processes and procedures. To that end, it has established the Site Data Protection (SDP) program, which requires that merchants demonstrate PCI compliance using three essential tools.
Self-Assessment Questionnaire (SAQ)
The SAQ is a practical and effective instrument for determining whether your business is PCI compliant. The SAQ will lead you step by step through a complex inquiry process to determine how well you are meeting the data security standards. If you are not in compliance, the SAQ will provide you with recommendations on how you can get compliant. Learn more about the compliance SAQ.
Onsite Risk Assessment
Also known as a compliance audit, onsite risk assessment is designed to help you examine your credit card processing systems and identify vulnerabilities to prevent data from being compromised. Because of the sensitive nature of credit card data, a compliance audit must be conducted by a qualified security assessor approved by the PCI SSC. Learn more about compliance auditing.
One of the best ways to maintain security at the highest levels is to test it regularly. PCI scans look for vulnerabilities in your networks, applications, databases and other systems that could leave you open to attack and potentially lead to a data security breach. Compliance scans can only be conducted by an approved scanning vendor. Learn more about compliance scanning.
4 steps to SDP compliance
To make compliance easier, MasterCard has established a simple, 4-step process for becoming SDP compliant.
1. Identify your merchant level
PCI DSS outlines four levels of merchants, based on annual volume of payment transactions and potential risk. Learn more about the four levels of PCI Compliance.
2 . Review the compliance validation tools
Familiarize yourself with the three basic tools for compliance (listed above): the SAQ, compliance auditing and compliance scanning.
3. Engage an approved vendor
Due to the sensitive nature of credit card data, only a qualified security assessor is allowed to administer a compliance audit and, if necessary, compliance scans must be conducted by an approved scanning vendor.
Once you have successfully completed the compliance process and received all supporting documentation, have your merchant services provider register you with MasterCard. You must renew your registration annually, which means you must continue to maintain compliance.