MasterCard Vs. Visa: Dueling Compliance Philosophies

Written by David Taylor
August 18th, 2009

Columnist David Taylor is the Founder of the PCI Knowledge Base and former E-Commerce and Security analyst with Gartner.

People don’t seem to “get” MasterCard. For most of the last 4 years, MasterCard has been criticized for their apparent willingness to let Visa play the “bad guy” who issues fines to acquiring banks (and, through them, to merchants), who extends the PCI standards to application vendors (through PABP, now PA-DSS) and who generally takes the heat for PCI.

Now MasterCard is taking what can only be called a “get tough” policy, issuing larger fines and, most significantly, forcing both Level 1 and Level 2 merchants to use assessors rather than take on the task of self-assessment. But still, merchants, banks, processors and service providers aren’t happy with MasterCard. They just can’t seem to get a break. After numerous conversations with companies on the receiving end of MasterCard’s “get tough” efforts, I think there are some philosophical issues that need to be highlighted.

  • Who Do You Trust?
    The MasterCard mandate to use third party Qualified Security Assessors (QSAs) is a big deal. We’ve heard from several Level 1 and Level 2 merchants that this will affect their PCI compliance project management, increase their assessment costs and change who is running PCI internally. Over the last 1-2 years, our research has found that more Internal Audit departments have added IT talent to take on PCI assessments, sometimes on loan from IT, and sometimes by hiring staff. But MasterCard apparently doesn’t trust these companies and the Internal Audit folks.

    One likely result is the shifting of PCI-related budget money back from Internal Audit to IT, or simply using the Internal Audit PCI funds to hire a QSA. Some internal auditors say this is a step backward. Visa, on the other hand, appears to be satisfied with merchants taking on the task of self-assessment and, according to several merchants and banks, even encourages it. It’s a different philosophy.

  • Who Does A Better Job Auditing PCI?
    The motivation behind MasterCard’s QSA mandate was almost certainly driven by some pretty shoddy self-assessments by some name-brand companies. After all, just because a company has a brand name, doesn’t mean its senior management believes all the consultant hype that you have to spend money on data security to protect your brand by avoiding a security breach.

    But my experience with Internal Audit departments tells me that once that department agrees to take on PCI compliance assessments, they spend more time, effort and money on assessments and generally do a better job than most QSAs.

    Why? Cost is a huge factor in QSA selection, so QSAs often have to minimize the assessment scope in order to win business. I know many QSAs who are thoroughly ticked off that some of their clients would prefer a less-than-thorough assessment. Many merchants like QSAs who are “easy graders,” which is not a shock. But these same “cheap ass” (to quote one notable QSA) managers have a hard time sitting across the table from the head of internal audit (who often reports to the CFO) trying to make a case for Internal Audit doing a shoddy PCI assessment.

    My point is when Internal Audit people own PCI self-assessment, they will typically do the most thorough job. But when IT owns the self-assessment task, the quality of the self-assessment varies directly with the skills and autonomy of the team assembled by the head of security or the PCI project manager.

  • Is Data Security A Culture Or A Cult?
    One of the arguments I’ve heard a half dozen times since the MasterCard announcement is that their insistence that merchants rely on QSAs rather than build up their own self-assessment teams (wherever they may sit) runs counter to efforts to build a “culture of security.” (I swear – people actually said that!) Personally, I think data security folks (including me) are more like a cult, including the secret handshakes.

    But either way, I hope we have reached the point where merchants (both IT and senior management) realize that data security is their responsibility, regardless of whether they perform the actual self-assessment or not. After all, the liability and business risk continue to rest with the merchant, whoever does the PCI assessment. Of course, that issue itself does argue for the merchants owning the self-assessment task.

    That said, I do think that one of the downside risks of the MasterCard mandate is that it could renew feelings of antagonism between the merchants and the card brands, with both the QSAs and the acquiring banks caught in the middle.

  • The Bottom Line
    If I had to choose sides, and I don’t, I would probably come down on the side of allowing greater use of self-assessments. Even if some of the self-assessments turned in have been total crap, there is now a “crap detection” (Quality Assurance) process managed by the PCI SSC, as well as reviews by the acquiring banks. But MasterCard has seemingly decided that is not working. They may be right. They have seen lots of these self-assessments. I just think it’s interesting that Visa, which sees as many, or more, of these self-assessments, came to a different conclusion. Speaking of conclusions, I’m done. But, if you’d like to agree or disagree, please visit the PCI Knowledge Base, and our “Contact us” page, or if you want to have a personal discussion about the assessment process, just send me an E-Mail at

  • advertisement

    4 Comments | Read MasterCard Vs. Visa: Dueling Compliance Philosophies

    1. Alex Crittenden Says:

      Dave –

      Thanks for another good article at StoreFrontBackTalk. Very interesting topic, but I do have a couple of points that I wanted to raise regarding internal vs. external PCI auditing.

      (BTW – in full disclosure, as Dave knows, I work for a security consulting firm that also happens to be a QSA)

      1) There is always the argument that a company is going to know their systems and processes better than some outsider coming in for a short period of time to perform an audit.

      I’ll actually agree with this idea – any outside firm, unless they have a long history working with a client, does not have nearly the same familiarity and knowledge of a client’s environment as the client’s own team.

      That’s one of the reasons why an outside review can be valuable – sometimes there needs to be a bit of separation in order to get a proper perspective, to make certain that assumptions are accurate, and to bring an outside viewpoint into the conversation. But this assumes a certain approach to PCI by the merchant in question… Which get’s me to my second point…

      2) Any PCI program should be an extension (or subset) of your overall security program. At its heart it’s not just an audit procedure – it should be viewed within the context of your overall security program.

      If a company is focusing on the bigger picture of overall security improvement and is actively assessing systems, finding vulnerabilities, closing gaps in security, updating policies, etc. then I don’t think having the internal audit team perform the PCI audit is necessarily a problem.

      Where I do see difficulties is when merchants are looking to ‘just get the damn thing done’ and look at compliance as an exercise unto itself.

      In that case, I think finding an outside firm that can provide both PCI auditing and broader security expertise is extremely important.

      A good number of the ‘PCI’ clients that we work with actually don’t have us do the audits – we work with them on PCI ‘readiness’ which really means they are working to operationalize security and compliance in a broader sense.

      Anyway – just my two cents…

      Thanks again for another good article…

    2. Dave Taylor Says:

      HI, Alex,
      Thanks for your feedback. I certainly agree that PCI needs to “fit” with the overall security program and that getting an external perspective / review of PCI, security, and its business as well as technical implications, is a great idea.

      For me the most interesting part about this issue is the underlying assuption (the philosophy) that’s being made about what sources (and what process) creates the “best” assessment.

      I appreciate the feedback.
      thx, Dave

    3. Cranston Snoard Says:

      Re the “culture of security” (or culture of security awareness)– not sure why you find that a surprising term and approach. It has been around for quite some time. Most of us in security strive for such a situation, where our users, developers, management, etc, have an appreciation of security / governance so that they will keep these things in mind when developing new projects, services, etc. It’s a place where security is security et al is built into processes, not slapped on later at great expense and resistance; we want our user community to appreciate the value of security and its role in contributing to the success of business initiatives.

      As I tell my colleagues and business users, my job is to help ensure no one tampers with or interferes with their applications, and be part of our competitive advantage by ensuring our applications and services are up and running while our competitors are “off the air” because they are busy dealing with the latest security threats.

      As to MasterCard, they seem to be devolving PCI DSS into the SOX free-for-all and money grab. They remind me of power-obsessed grade school teachers who rather than deal with an unruly student, seem to think punishing the whole class will solve the problem.

    4. Dave Taylor Says:

      re: my “culture of security” comment. I suspect sometimes that my sense of humor is lost in my columns. I use quote marks to set off things, but that doesn’t do the trick sometimes. I was trying to get a joke out of “culture” vs “cult” – i am familiar with the term.
      Dave T.


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.