On Wednesday, we discussed MasterCard’s new requirement for Level 2 merchants to have an on-site assessment performed instead of submitting the Self-Assessment Questionnaire (see the final word here). This news prompted a flurry of information around the new requirement and has merchants asking lots of questions.
I clarified a couple of items from my last post and wanted to make sure they were clear.
- MasterCard’s 2010 deadline is more of an end to submitting SAQs as opposed to a deadline to be validated by a QSA. This means that Level 2 merchants will continue to be able to submit SAQs until December 31, 2010, after which they will need to have the on-site assessment, performed by a QSA.
- The On-Site assessment must yield a Report on Compliance (ROC), NOT a SAQ. Effectively, Level 1 & 2 merchants will have the exact same reporting requirements for PCI.
- This does not apply only to merchants processing more than 1 million MasterCard transactions annually, this applies to any merchant classified as a Level 2 merchant from any other card brand. MasterCard defines that their Level 2 also includes “Any merchant meeting the Level 2 criteria of a competing payment brand.” This means that if any other brand defines you as a Level 2 merchant, you are now subject to this requirement.
I hope you all have a chance to ponder that over the weekend, and we’ll catch you next week for more security fun!
Update: MasterCard has the FLIP FLOPS! Check their retraction here.
Possibly Related Posts:
- PCI DSS 4.0 Released plus BOOK DETAILS!
- PCI Council Loses $600K in Revenue, PO Population on the Decline
- Why PCI DSS 4.0 Needs to be a Complete Rewrite
- Equifax is only half the problem, your SSN needs a redesign!
- Orfei Steps Down