In the last six months, retail executives (particularly those in audit and IT) have been closely following the debate over changes made to MasterCard’s Site Data Protection (SDP) Program in June 2009. The changes focused on a key area of achieving PCI compliance: the option to have the PCI DSS Attestation of Compliance for Onsite Assessments completed by a Qualified Security Assessor (QSA) or the merchant’s internal audit team. The new requirements stated that merchants must use a certified QSA for the annual onsite assessment by December 31, 2010.
Simply put, beginning in 2010, the new requirements would have prohibited many retailers from utilizing their own internal audit staffs to perform the PCI DSS assessment. Instead retailers would have been required to hire approved external QSAs at a higher cost to the company.
Many in the industry thought this demand unreasonable – retailers have invested heavily in their internal audit and IT audit executives, who work diligently to maintain independence. Those on staff performing the assessments have extensive technical expertise and training and possess an inherent knowledge of the company’s IT systems. Given the economic pressures that our industry and many others are facing, NRF failed to see the benefit of retailers incurring increased costs to hire an external QSA to perform the onsite assessment when highly qualified, fully competent individuals were already available in-house.
Over the past several months, NRF has voiced the retail industry’s concerns to MasterCard about the changes to their SDP Program. NRF argued that retailers’ internal audit executives are in a much better position than an outside firm to understand their organization’s unique business processes and have been trained to maintain objectivity. As an industry, we already do an outstanding job of using internal resources to comply with governmental regulations, such as Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA.
Late last week, MasterCard backed off their initial June 2009 announcement. The latest MasterCard revision will allow retailers to perform their own assessments, with one caveat: that those performing the assessment pass an annual PCI SSC certification program. Our members feel this is a reasonable approach. NRF has contacted the PCI Council to better understand the parameters of this program and will communicate those requirements to retailers. However, since retailers are tasked with protecting an antiquated payment system and forced to store credit card data, it is NRF’s belief that this certification should come at no cost to the merchant.