Visa/Mastercard security requirements for small vendors

Visa/Mastercard security requirements for small vendors.

Phil Windley
says that Visa and Mastercard are starting to crack down on small
merchants, requiring them to meet some sort of minimum information
security standards or lose the ability to accept Visa or Mastercard
purchases online. This is clearly a good thing.

He lists 12 basic requirements:

  1. Install and maintain a working firewall to protect data
  2. Keep security patches up-to-date
  3. Protect stored data
  4. Encrypt data sent across public networks
  5. Use and regularly update anti-virus software
  6. Restrict access by need to know�
  7. Assign unique ID to each person with computer access
  8. Don't use vendor-supplied defaults for passwords and security parameters
  9. Track all access to data by unique ID
  10. Regularly test security systems and processes
  11. Implement and maintain an information security policy
  12. Restrict physical access to data

The actual questionnaire
from Visa goes into a lot more detail (“Do changes to the firewall need
authorization and are the changes logged?”). A quick skim of the
questionnaire shows a bit of Windows bias (you can’t pass unless you
have virus scanners on all your servers—that’s kind of weird in a Unix
environment), but it looks like a great step forward. It’s nice to see someone in a position of influence raising the security baseline. 

Leave a comment