Site Data Protection – MasterCard Mandate
Site Data Protection (SDP) Program is a MasterCard security
solution that can help Web merchants and third parties protect
themselves against the threat of hack and attack situations.
The SDP program entails an annual Security Self-Assessment
questionnaire with acceptable ratings and security scanning
tools that map the Web site’s configuration and check
a database of more than 1,200 known vulnerabilities. Network
scan includes Intrusion detection services, firewall monitoring,
and additional web insurance.
Internet merchants, Internet CAPs (third party gateways,
third party servicers), and Data Storage Entities (DSEs) must
be reported to MasterCard by each Member Bank, registered
for SDP, and implemented for SDP program requirements within
timeframes established by MasterCard shown below. MasterCard
tiered mandate designed to help protect up to 60% of MasterCard
volume in the first year of implementation and 80% in the
second year. The Member Bank must annually register each e-commerce
merchant and specify each associated TPP or DSE that stores
data on merchant’s behalf. Member must also annually
register associated TPP and/or DSE that stored data on merchant’s
behalf. Member works with Global Payments Direct to announce
the SDP Security Compliance program for e-commerce merchants,
TPPs, DSEs and ensure compliance and remediation with (1)
Annual Security Self-assessment and (2) Network Security Scan
using a MasterCard approved SDP Compliant scanning vendor
SDP is mandatory for Tier 1 and Tier 2 merchants or their
DSEs that store transaction data. If both merchant (Tier 1
or Tier 2) and associated DSE store transaction data, then
both must complete the self assessment and regular periodic
network security scan to be SDP compliant. Merchants below
the Tier 2 threshold that store transaction data are encouraged
but not required to participate in SDP. Merchants that do
not store data that wish to sign up for periodic network scans
to detect any vulnerabilities in their website may use Ambiron
for these services and benefit from discounted pricing.
For more information on the Vital Signs program through Ambiron,
please go to: www.ambiron.com.
The Site Data Protection (SDP) Program mandate effective
dates are summarized below:
| SDP Compliance
Validation Level |
Member Bank Reports
to MasterCard |
Network Security
Scan |
Security Self-Assessment |
MC Annual Electronic
Commerce Volume Threshold |
| All TPPs |
12/31/2003 |
6/30/2004 |
6/30/2004 |
|
| Tier 1 Merchants |
12/31/2003 |
6/30/2004 |
6/30/2004 |
$12 million |
| DSEs for Tier 1 Merchants |
12/31/2003 |
6/30/2004 |
6/30/2004 |
|
| Tier 2 Merchants |
12/31/2004 |
6/30/2005 |
6/30/2005 |
$1.5 million or more |
| DSEs for Tier 2 Merchants |
12/31/2004 |
6/30/2005 |
6/30/2005 |
|
Terms and Definitions
name, primary address, Merchant ID Number, annual and average
monthly MasterCard web volume
Data Storage: The temporary or permanent
retention of MasterCard account data in any form (including
logs) for subsequent processing, retrieval, or other use.
Data Storage Entity (DSE): Any entity other
than the acquiring member, merchant, or TPP that stores MasterCard
account data on behalf of merchants, web hosting providers,
and payment gateways. May include terminal drivers and processors.
Storage may be temporary or permanent and in any form (including
logs).
Site Data Protection Program: MasterCard
security solution that can help Web merchants and vendors
protect themselves against the threat of hack and attack situations.
Security scanning tools map the Web site’s configuration
and check a database of more than 1,200 known vulnerabilities.
Intrusion detection services, firewall monitoring, and additional
web insurance.
Third Party Processor (TPP): MasterCard
Third Party Processor. Requires registration directly with
MasterCard if TPP provides services to MasterCard member financial
institutions.
To view information on this topic from MasterCard,
click
here.
|
