Expert comment on the latest developments in PCI DSS:
1. What changes have MasterCard made?
MasterCard have had a change of heart that brings a mixture of consequences for merchants and PCI DSS compliance advisors alike. Basically as of December 15th 2009, Level 2 merchants can now complete a PCI self-assessment questionnaire (SAQ) instead of needing a full audit by a PCI Qualified Security Assessor (QSA).
2. Who is affected by the changes?
The vast majority of high street stores and mid-tier retailers fall into the Level 2 category. The MasterCard criteria for a Level 2 retailer are:
- Any merchant with greater than one million but less than or equal to six million total combined MasterCard and Maestro transactions annually;
- Any merchant meeting the Level 2 criteria of Visa.
3. What do the changes mean in practice?
Even though the requirements now state that a self-assessment is back on the cards and is at the merchant’s discretion, I strongly suspect that many merchants will still need a PCI QSA in order to provide the technical assistance, assurance and guarantee that the merchant is compliant because unless the merchant has substantial in-house expertise at their fingertips I think they may be very concerned about the potential data breaches and the consequences.
MasterCard has stated in the same bulletin that in order to complete a self-assessment, Level 2 merchants will need to nominate staff to undertake the PCI Security Standards Council QSA training programme and only when they have passed the examination, will they be permitted to undertake the assessment. This may give a false sense of security and cost the merchant significant sums of training investment. Currently all QSAs must demonstrate at least 5 years’ experience in the field and also complete a set number of training exercises each year outside of the PCI QSA training.
I’d also like to point out that in Europe, we only seem to have one series of QSA training courses scheduled each year, held in mainland Europe, so merchants will have to be very well organised if they are to have the right staff trained up at the right time. In my opinion Level 2 merchants should still employ the resources of a fully trained QSA, even if only to assist with the self-assessment process, because QSAs by their very nature have their sleeves rolled up and are involved in PCI issues throughout the year. They will also bring their considerable experience to the table and be better able to resolve compliance issues that newly qualified internal staff may not have the skill to recognise.
4. How can SRM help Level 2 merchants to address those changes and become compliant?
If you happen to be a Level 2 merchant we can help you to understand how the PCI DSS applies to your organisation and what to do in order to become compliant. Even if you are already working with your chosen supplier, a second opinion can be invaluable.
More Information
Find out more from these PCI related websites:
- Call the PCI Team > 08450 21 21 22
