MasterCard Site Data Protection Program - PowerPoint PPT Presentation

1 / 14
About This Presentation
Title:

MasterCard Site Data Protection Program

Description:

MasterCard Site Data Protection Program Program Alignment SDP Program Alignment As announced to our membership in December 2004, the MasterCard SDP Program and the ... – PowerPoint PPT presentation

Number of Views:110
Avg rating:3.0/5.0
Slides: 15
Provided by: besti98
Category:

less

Transcript and Presenter's Notes

Title: MasterCard Site Data Protection Program


1
MasterCard Site Data Protection Program
  • Program Alignment

2
SDP Program Alignment
  • As announced to our membership in December 2004,
    the MasterCard SDP Program and the Visa CISP/AIS
    Program have aligned in the following areas
  • common levels and participation criteria for
    merchants and service providers (U.S. and Europe)
  • cross recognition of qualified onsite assessors
    and compliant security scanning vendors (U.S. and
    Europe)
  • common security standard documentation (endorsed
    by Amex, Discover, JCB and Diners)
  • auditing procedures
  • scanning procedures
  • self-assessment/questionnaire

3
SDP Program Alignment - Merchants
  • Level 1 Merchants effective 30 June 2005
  • All merchants that have suffered a hack or an
    attack that resulted in an account data
    compromise and
  • All MasterCard merchants (face-to-face, MOTO,
    e-commerce, Maestro, etc.), with greater than six
    million combined total transactions annually and
  • All merchants that meet or exceed the level 1
    criteria of a competing payment brand and
  • Any merchant that MasterCard, at its sole
    discretion, determines should meet the Level 1
    merchant requirements to minimize risk to the
    system
  • All Level 1 Merchants must successfully complete
    an annual onsite review (may be conducted through
    an internal auditor) and quarterly scans

All referenced compliance dates are unique to
MasterCard
4
SDP Program Alignment Merchants
  • Level 2 Merchants effective 30 June 2004
    (formerly Tier 1)
  • All merchants with annual e-commerce transactions
    between 150,000 and 6 million
  • All merchants that meet or exceed the Level 2
    criteria of a competing payment brand
  • All Level 2 Merchants must successfully complete
    quarterly scans and an annual self-assessment

5
SDP Program Alignment Merchants
  • Level 3 Merchants effective 30 June 2005
    (formerly Tier 2)
  • All merchants with annual e-commerce transactions
    between 20,000 and 150,000
  • All merchants that meet or exceed the level 3
    criteria of a competing payment brand
  • All Level 3 Merchants must successfully complete
    quarterly scans and an annual self-assessment
  • Level 4 Merchants Optional
  • All other merchants are recommended to become
    compliant to reduce risk and gain access to a
    potential waiver against account data compromise
    assessments
  • Recommended compliance steps include an annual
    security scan and an annual self-assessment

6
SDP Program Alignment Service Providers
  • Level 1 Service Providers
  • Effective 30 June 2004 (formerly Tier1)
  • All TPPs and DSEs that store data on behalf of
    Level 1 and 2 merchants must complete a scan and
    self-assessment
  • Effective 30 June 2005
  • New requirement of an annual onsite review
  • Level 2 Service Providers effective 30 June 2005
  • All TPPs and DSEs that store data on behalf of
    Level 3 merchants must complete an onsite review
    and quarterly scans
  • Level 3 Service Providers Optional

The term Service Provider collectively refers to
Third Party Providers (TPPs) and Data Storage
Entities (DSEs).
7
SDP Program Alignment Technical Documentation
  • The SDP Program now utilizes four common
    documents
  • Payment Card Industry (PCI) Data Security
    Standard
  • developed by MasterCard and Visa
  • endorsed by Amex, Discover, Diners and JCB.
  • PCI Security Audit Procedures
  • PCI Security Scanning Procedures
  • PCI Self Assessment Questionnaire
  • In addition to these PCI Standards, MasterCard
    also has published and maintains the following
    related documents
  • Security Standard Applicable to Scanning Vendors
  • Electronic Commerce Architecture Best Practices

8
Vendor Cross-Recognition
  • Onsite reviewers
  • Visa will continue to qualify onsite reviewers
    globally through each Visa region
  • MasterCard requires that all onsite reviewers be
    qualified by Visa
  • Security Scanning Vendors
  • MasterCard will continue security scanning
    compliance testing on a global basis
  • Visa requires that all security scanning vendors
    successfully complete MasterCard compliance
    testing

9
MasterCard SDP Compliance Process for Members
  • Member Compliance Process
  • Members determine merchant and service provider
    compliance based on vendor recommendations/reports
  • SDP registrations via the Merchant Registration
    Program (MRP)
  • MRP is available to MasterCard members only
  • Accessed through a MasterCard subscription
    service called MasterCard Online (MOL)
  • Requires Members to annually register both
    merchants and service providers as compliant
  • Regular submission of SDP Status Forms
  • Non-compliance assessments

10
MasterCard SDP Compliance Processfor Merchants
and Service Providers
  • Merchants and service providers are responsible
    for selecting a qualified onsite assessor and/or
    a compliant security scanning vendor
  • Vendors should provide reports directly to
    merchants and service providers
  • Merchants and service providers share those
    reports with Acquiring Members
  • Executive Summary reports or vendor letters of
    attestation are critical for acquirer compliance
    determination. For onsite audits, please consult
    regional Visa requirements regarding formal
    recommendations of compliance.

11
MasterCard SDP Compliance ProcessSelf-Assessment
Questionnaire
  • Requirement for Level 2 and 3 merchants
  • 74 Questions organized according to the PCI
    standards 12 requirements
  • Merchants and service providers are not required
    to engage a vendor or use a vendor portal for
    completing the self-assessment
  • Vendors may choose to offer self-assessment
    services
  • Portal for completion
  • Remediation

12
Scan Vendor Compliance Testing Program2005
Testing Scope
  • New version of the Security Standard Applicable
    to Scanning Vendors
  • Beginning April 2005, new sets of vulnerabilities
    to be identified during testing
  • Wider variety of Operating Systems
  • New hardware platforms including non-Intel
    architectures
  • All major databases, application servers, latest
    web servers
  • Web application, as per the Open Web Application
    Security Project (OWASP)
  • Extension of testing to WLAN security (under
    investigation)

13
Scan Vendor Compliance Testing Program2005
Service
  • Improved level of service
  • Start of an approval maintenance process
  • To ensure that tested scan solutions are kept
    current with latest vulnerabilities
  • Revalidation process to start in April 2005
  • Vendors will progressively be called in to
    re-test their scanning solutions
  • Registration will include one test session
  • Additional 2 test sessions (max) subject to fee

14
MasterCard Support
  • For MasterCard support on
  • Web site https//sdp.mastercardintl.com
  • Vendor compliance testing SDP_Vendor_Compliance_at_
    mastercard.com
  • SDP Program sdp_at_mastercard.com
  • Vendor communications and business relationship
    management tom_maxwell_at_mastercard.com
Write a Comment
User Comments (0)
About PowerShow.com