Phil Windley says that Visa and Mastercard are starting to crack down on small merchants, requiring them to meet some sort of minimum information security standards or lose the ability to accept Visa or Mastercard purchases online. This is clearly a good thing.

He lists 12 basic requirements:

  1. Install and maintain a working firewall to protect data
    
  2. Keep security patches up-to-date
    
  3. Protect stored data
    
  4. Encrypt data sent across public networks
    
  5. Use and regularly update anti-virus software
    
  6. Restrict access by “need to know”
    
  7. Assign unique ID to each person with computer access
    
  8. Don’t use vendor-supplied defaults for passwords and security parameters
    
  9. Track all access to data by unique ID
    
  10. Regularly test security systems and processes
    
  11. Implement and maintain an information security policy
    
  12. Restrict physical access to data
    

The actual questionnaire from Visa goes into a lot more detail (“Do changes to the firewall need authorization and are the changes logged?”). A quick skim of the questionnaire shows a bit of Windows bias (you can’t pass unless you have virus scanners on all your servers–that’s kind of weird in a Unix environment), but it looks like a great step forward. It’s nice to see someone in a position of influence raising the security baseline.