In the last six months, retail executives (particularly those in audit and IT) have been closely following the debate over changes made to MasterCard’s Site Data Protection (SDP) Program in June 2009. The changes focused on a key area of achieving PCI compliance: the option to have the PCI DSS Attestation of Compliance for Onsite Assessments completed by a Qualified Security Assessor (QSA) or the merchant’s internal audit team. The new requirements stated that merchants must use a certified QSA for the annual onsite assessment by December 31, 2010.
Simply put, beginning in 2010, the new requirements would have prohibited many retailers from utilizing their own internal audit staffs to perform the PCI DSS assessment. Instead retailers would have been required to hire approved external QSAs at a higher cost to the company.
Many in the industry thought this demand unreasonable – retailers have invested heavily in their internal audit and IT audit executives, who work diligently to maintain independence. Those on staff performing the assessments have extensive technical expertise and training and possess an inherent knowledge of the company’s IT systems. Given the economic pressures that our industry and many others are facing, NRF failed to see the benefit of retailers incurring increased costs to hire an external QSA to perform the onsite assessment when highly qualified, fully competent individuals were already available in-house.
Over the past several months, NRF has voiced the retail industry’s concerns to MasterCard about the changes to their SDP Program. NRF argued that retailers’ internal audit executives are in a much better position than an outside firm to understand their organization’s unique business processes and have been trained to maintain objectivity. As an industry, we already do an outstanding job of using internal resources to comply with governmental regulations, such as Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA.
Late last week, MasterCard backed off their initial June 2009 announcement. The latest MasterCard revision will allow retailers to perform their own assessments, with one caveat: that those performing the assessment pass an annual PCI SSC certification program. Our members feel this is a reasonable approach. NRF has contacted the PCI Council to better understand the parameters of this program and will communicate those requirements to retailers. However, since retailers are tasked with protecting an antiquated payment system and forced to store credit card data, it is NRF’s belief that this certification should come at no cost to the merchant.
One Comment
From someone who just went thru the process and recieved PA-DSS Validation from a QSA (almost 2 years and $100K in costs) i have several comments…
Master Card does not stand alone. Visa is imposing a July 1, 2010 date. If you agree to the Master Card compromise… does that mean you cannot accept any other card since you would only be Validated for Master Card?
The language in much of the PCI-DSS and PA-DSS is very ambiguous. In-House auditors (and the same holds true for QSA’s from different auditing firms) would likely interpret many requirments differently. Since you are doing so ‘in-house’ i would venture to guess that you are more at risk since you cannot blame the mis-interpretation on an outside firm that was certified by the council.
Finally, with over 1000 clients… from my non-scientific sampling, less than 5% of my merchants have any clue how this will impact them as small business owners / merchant id holders. If the PCI group does not start educating the merchants, there will be a very long road ahead.