Security Rules and Procedures
Chapter 1 Customer Obligations
This chapter describes general Customer compliance and Program obligations relating to Mastercard Card issuing and Merchant acquiring Program Activities.
1.1 Compliance with the Standards
This manual contains Standards. Each Customer must comply fully with these Standards.
All of the Standards in this manual are assigned to noncompliance category A under the compliance framework set forth in Chapter 2 of the Mastercard Rules manual (“the compliance framework”), unless otherwise specified in the table below. The noncompliance assessment schedule provided in the compliance framework pertains to any Standard in the Security Rules and Procedures manual that does not have an established compliance Program. The Corporation may deviate from the schedule at any time.
|Section Number||Section Title||Category|
|1.3||The Security Contact||C|
|7.1.2||Retention of Investigative Records||C|
1.2 Conflict with Law
A Customer is excused from compliance with a Standard in any country or region of a country only to the extent that compliance would cause the Customer to violate local applicable law or regulation, and further provided that the Customer promptly notifies the Corporation, in writing, of the basis for and nature of an inability to comply. The Corporation has the authority to approve local alternatives to these Standards.
1.3 The Security Contact
Each Customer must have a Security Contact listed for each of its Member IDs/ICA numbers in the Company Contact Management application on Mastercard Connect™.
1.4 Connecting to Mastercard — Physical and Logical Security Requirements
Each Customer and any agent thereof must be able to demonstrate to the satisfaction of Mastercard the existence and use of meaningful physical and logical security controls for any communications processor or other device used to connect the Customer’s processing systems to the Mastercard Network (herein, “a Mastercard Network Device”) and all associated components, including all hardware, software, systems, and documentation (herein collectively referred to as “Service Delivery Point Equipment”) located on-site at the Customer or agent facility. Front-end communications processors include Mastercard interface processors (MIPs), network interface units (NIUs), and debit interface units (DIUs).
The controls must meet the minimum requirements described in this section, and preferably will include the recommended additional parameters.
1.4.1 Minimum Security Requirements
At a minimum, the Customer or its agent must put in place the following controls at each facility housing Service Delivery Point Equipment:
- Each network segment connecting a Mastercard Network Device to the Customer’s processing systems must be controlled tightly, as appropriate or necessary to prevent unauthorized access to or from other public or private network segments.
- The connectivity provided by each such network segment must be dedicated wholly and restricted solely to the support of communications between Mastercard and the Customer’s processing systems.
- The Customer or its agent must replace each vendor-supplied or default password present on the Customer’s processing systems, each Mastercard Network Device, and any device providing connectivity between them with a “strong password”. A strong password contains at least eight characters, uses a combination of letters, numbers, symbols, punctuation, or all, and does not include a name or common word(s).
- The Customer or its agent must conduct regular periodic reviews of all systems and devices that store Account information to ensure that access is strictly limited to appropriate Customer personnel on a “need to know” basis.
- The Customer or its agent must notify Mastercard within 30 business days of any change in the personnel designated to administer the Mastercard Network Device. Refer to Appendix B of this manual for contact information.
- The Customer or its agent must maintain and document appropriate audit procedures for each Mastercard Network Device. Audit reports must be maintained and accessible to the Customer for at least one year, including a minimum of 90 days in an easily retrieved electronic format.
- The Customer must ensure that the software employed in any system or device used to provide connectivity to the Mastercard Network is updated with all appropriate security patches, revisions, and other updates as soon after a release as is practicable.
- The physical location of the Service Delivery Point Equipment must be accessible only by authorized personnel of the Customer or its agent. Visitor access must be controlled by at least one of the following measures:
- Require each visitor to provide government-issued photo identification before entering the physical location; and/or
- Require each visitor to be escorted to the physical location by authorized personnel of the Customer or its agent.
- If the physical location of the Service Delivery Point Equipment provides common access to other devices or equipment, then the Mastercard Network Device must be stored in a cabinet that is locked both in front and the rear at all times. Keys to the cabinet must be stored in a secured location.
- The Customer or its agent must have documented procedures for the removal of Service Delivery Point Equipment from the physical location.
1.4.2 Additional Recommended Security Requirements
Customers and their agents are strongly encouraged to put in place the following additional controls at each facility housing a Mastercard Network Device:
- Placement of the Mastercard Network Device in a physical location that is enclosed by floor-to-ceiling walls.
- Continual monitoring of the Mastercard Network Device by cameras or other type of electronic surveillance system. Video records should be maintained for a minimum of 90 days.
1.4.3 Ownership of Service Delivery Point Equipment
Effective as of date of placement, the Customer is granted a non-exclusive, nonassignable license to use the Service Delivery Point Equipment owned or controlled by Mastercard. The Customer may not take any action adverse to the interests of Mastercard with respect to the use of the Service Delivery Point Equipment.
The Customer at all times remains responsible for the safety and proper use of all Service Delivery Point Equipment placed at a location by request of the Customer, and must employ at that location the minimum security requirements set forth in this section 1.4. At its own expense, the Customer must promptly return all Service Delivery Point Equipment owned or controlled by Mastercard to Mastercard upon request of Mastercard and without such request, in the event of bankruptcy or insolvency.
1.4.4 Component Authentication
All components actively participating in the Interchange System must authenticate each other by means of cryptographic procedures, either explicitly by a specific authentication protocol or implicitly by correct execution of a cryptographic service possessing secret information (for example, the shared key or the logon ID).
A component actively participates in the Interchange System if, because of its position in the system, it can evaluate, modify, or process security-related information.
1.5 Data Protection
In addition to Rule 3.13 of the Mastercard Rules, the Corporation and each Customer must comply with (1) Applicable Data Protection Law and (2) Appendix D (Covered Programs Privacy and Data Protection Standards), in each case when Processing Personal Data in the context of Activity related to Account Data Compromise events, Mastercard Alert to Control High-risk (Merchants) (MATCH™) system, the Excessive Chargeback Program, the Merchant Registration Program, and the Franchise Management Program (collectively a “Covered Program”).
1.5.1 Compliance with Privacy, Data Protection and Information Security Requirements
The Corporation and each Customer must comply with Applicable Data Protection Law when Processing Personal Data in the context of Activity related to a Covered Program.
Chapter 2 Cybersecurity Standards and Programs
This chapter is relevant to all Customers, Merchants, Service Providers, and any other Customer agents that store, process, or transmit Account, Card, Cardholder, or Transaction data.
Full text is available here.