Last month, I wrote about how the PCI DSS standard does not go far enough. The PCI Data Security Standard is industry developed and policed, which is the proverbial fox guarding the hen house. This week, MasterCard, one of the founding members of the PCI Security Standards Council, announced that it was changing a key requirement for businesses that handle between 1 million and 6 million transactions annually, called level 2 companies.
The change will require these merchants to obtain a third-party, onsite security assessment, approved by MasterCard. The new requirement will not go into effect until December 31, 2010. MasterCard has not updated its Web site with the new requirement yet. Currently, these merchants are only required to fill out a self-assessment about their security which, to my mind, explains why there have been so many problems with breaches in the industry.
I would like to think that I had a small part in this through the power of the pen, but I would only be stroking my own ego. Regardless of why MasterCard decided to do this, I see it as a positive move on the company's part and I call on the rest of the industry to follow MasterCard's leadership.
The question still on the table is what does the future hold for the Payment Card Industry and its DSS standard? The state of Nevada has taken matters into its own hands. Any company doing business in Nevada must comply with the PCI DSS by January 1, 2010. In addition, any company retaining personal data, including Social Security numbers, driver's license numbers or account numbers must use encryption if they send information outside the company.
In my opinion, this is a step in the right direction but I think what will eventually happen is that state and federal laws will replace the loosely crafted and applied standard. Let's hope that what happens in Nevada does not stay in Nevada.