The PCI Security Standards Council announced on Friday the creation of the Internal Security Assessor (ISA) program.  If you recall, we had some fun with MasterCard last year when they floated and then retracted some changes in their SDP program.  The one change that stuck will be causing a small subset of Level 1 merchants pain—the inability to self-assess.

Take a left turn, by Netream

If you recall, Level 1 merchants have always been able to self assess IF they have a C-Level executive sign off on it. Self-assessing sounds attractive until that last part.  While the vast majority of Level 1 merchants choose to use a QSA, there are a few that have been self assessing for years.  In fact, one colleague in particular discussed the level of effort his team exerted, and I was pleasantly surprised to know that his team was much more thorough than many QSAs.

When MasterCard started making changes to their SDP program last year, that small group of merchants realized they may lose their ability to continue on their own.  MasterCard punted back to the Council and said that if QSA-like training with a test at the end is provided to non-QSAs, we are OK with them self assessing.

Of all of the things that MasterCard did last year, this one makes the most sense.  If QSAs have to be trained and pass a test, internal merchant assessors should have to do the same.  This way you can at least set the stage1 for a more equal assessment experience.

For companies that currently self assess, be sure to sign up for one of the sessions listed in the link above. Hopefully the blank spots for locations will be resolved quickly!

This post originally appeared on

  1. All you can assure is that you set the stage.  Merchant ISAs and QSAs alike will still vary in opinion and quality. []