MasterCard Site Data Protection Program

1
MasterCard Site Data Protection Program

• Program Alignment

2
SDP Program Alignment

• As announced to our membership in December 2004,
  the MasterCard SDP Program and the Visa CISP/AIS
  Program have aligned in the following areas
• common levels and participation criteria for
  merchants and service providers (U.S. and Europe)
  
• cross recognition of qualified onsite assessors
  and compliant security scanning vendors (U.S. and
  Europe)
• common security standard documentation (endorsed
  by Amex, Discover, JCB and Diners)
• auditing procedures
• scanning procedures
• self-assessment/questionnaire

3
SDP Program Alignment - Merchants

• Level 1 Merchants effective 30 June 2005
• All merchants that have suffered a hack or an
  attack that resulted in an account data
  compromise and
• All MasterCard merchants (face-to-face, MOTO,
  e-commerce, Maestro, etc.), with greater than six
  million combined total transactions annually and
• All merchants that meet or exceed the level 1
  criteria of a competing payment brand and
• Any merchant that MasterCard, at its sole
  discretion, determines should meet the Level 1
  merchant requirements to minimize risk to the
  system
• All Level 1 Merchants must successfully complete
  an annual onsite review (may be conducted through
  an internal auditor) and quarterly scans

All referenced compliance dates are unique to
MasterCard
4
SDP Program Alignment Merchants

• Level 2 Merchants effective 30 June 2004
  (formerly Tier 1)
• All merchants with annual e-commerce transactions
  between 150,000 and 6 million
• All merchants that meet or exceed the Level 2
  criteria of a competing payment brand
• All Level 2 Merchants must successfully complete
  quarterly scans and an annual self-assessment

5
SDP Program Alignment Merchants

• Level 3 Merchants effective 30 June 2005
  (formerly Tier 2)
• All merchants with annual e-commerce transactions
  between 20,000 and 150,000
• All merchants that meet or exceed the level 3
  criteria of a competing payment brand
• All Level 3 Merchants must successfully complete
  quarterly scans and an annual self-assessment
• Level 4 Merchants Optional
• All other merchants are recommended to become
  compliant to reduce risk and gain access to a
  potential waiver against account data compromise
  assessments
• Recommended compliance steps include an annual
  security scan and an annual self-assessment

6
SDP Program Alignment Service Providers

• Level 1 Service Providers
• Effective 30 June 2004 (formerly Tier1)
• All TPPs and DSEs that store data on behalf of
  Level 1 and 2 merchants must complete a scan and
  self-assessment
• Effective 30 June 2005
• New requirement of an annual onsite review
• Level 2 Service Providers effective 30 June 2005
  
• All TPPs and DSEs that store data on behalf of
  Level 3 merchants must complete an onsite review
  and quarterly scans
• Level 3 Service Providers Optional

The term Service Provider collectively refers to
Third Party Providers (TPPs) and Data Storage
Entities (DSEs).
7
SDP Program Alignment Technical Documentation

• The SDP Program now utilizes four common
  documents
• Payment Card Industry (PCI) Data Security
  Standard
• developed by MasterCard and Visa
• endorsed by Amex, Discover, Diners and JCB.
• PCI Security Audit Procedures
• PCI Security Scanning Procedures
• PCI Self Assessment Questionnaire
• In addition to these PCI Standards, MasterCard
  also has published and maintains the following
  related documents
• Security Standard Applicable to Scanning Vendors
• Electronic Commerce Architecture Best Practices

8
Vendor Cross-Recognition

• Onsite reviewers
• Visa will continue to qualify onsite reviewers
  globally through each Visa region
• MasterCard requires that all onsite reviewers be
  qualified by Visa
• Security Scanning Vendors
• MasterCard will continue security scanning
  compliance testing on a global basis
• Visa requires that all security scanning vendors
  successfully complete MasterCard compliance
  testing

9
MasterCard SDP Compliance Process for Members

• Member Compliance Process
• Members determine merchant and service provider
  compliance based on vendor recommendations/reports
  
• SDP registrations via the Merchant Registration
  Program (MRP)
• MRP is available to MasterCard members only
• Accessed through a MasterCard subscription
  service called MasterCard Online (MOL)
• Requires Members to annually register both
  merchants and service providers as compliant
• Regular submission of SDP Status Forms
• Non-compliance assessments

10
MasterCard SDP Compliance Processfor Merchants
and Service Providers

• Merchants and service providers are responsible
  for selecting a qualified onsite assessor and/or
  a compliant security scanning vendor
• Vendors should provide reports directly to
  merchants and service providers
• Merchants and service providers share those
  reports with Acquiring Members
• Executive Summary reports or vendor letters of
  attestation are critical for acquirer compliance
  determination. For onsite audits, please consult
  regional Visa requirements regarding formal
  recommendations of compliance.

11
MasterCard SDP Compliance ProcessSelf-Assessment
Questionnaire

• Requirement for Level 2 and 3 merchants
• 74 Questions organized according to the PCI
  standards 12 requirements
• Merchants and service providers are not required
  to engage a vendor or use a vendor portal for
  completing the self-assessment
• Vendors may choose to offer self-assessment
  services
• Portal for completion
• Remediation

12
Scan Vendor Compliance Testing Program2005
Testing Scope

• New version of the Security Standard Applicable
  to Scanning Vendors
• Beginning April 2005, new sets of vulnerabilities
  to be identified during testing
• Wider variety of Operating Systems
• New hardware platforms including non-Intel
  architectures
• All major databases, application servers, latest
  web servers
• Web application, as per the Open Web Application
  Security Project (OWASP)
• Extension of testing to WLAN security (under
  investigation)

13
Scan Vendor Compliance Testing Program2005
Service

• Improved level of service
• Start of an approval maintenance process
• To ensure that tested scan solutions are kept
  current with latest vulnerabilities
• Revalidation process to start in April 2005
• Vendors will progressively be called in to
  re-test their scanning solutions
• Registration will include one test session
• Additional 2 test sessions (max) subject to fee

14
MasterCard Support

• For MasterCard support on
• Web site https//sdp.mastercardintl.com
• Vendor compliance testing SDP_Vendor_Compliance_at_
  mastercard.com
• SDP Program sdp_at_mastercard.com
• Vendor communications and business relationship
  management tom_maxwell_at_mastercard.com