NEWS FLASH: MasterCard Requires On-Site QSA for Level 2 Merchants
Thanks to Smiley for the tip!
MasterCard has posted a change to their Site Data Protection program that requires Level 2 merchants to use a QSA and an on-site assessment. This is a dramatic change from the current, industry wide requirement of self-assessing for merchants processing less than six million transactions annually.
While this is definitely going to put a dent in Level 2 merchant budgets from this point on, I truly believe that this is a smart move by MasterCard. Level 2 merchants are extremely significant in size, many of which being household names. Unfortunately, PCI self-assessments are typically poorly handled simply due to the complexity of the standard and lack of training provided to those individuals performing the assessment. When our folks are contracted to review these, we typically find that a previously fully in-place Self Assessment Questionnaire is only about 70% accurate. Meaning, that 30% of the items answered "Yes" or "N/A" are actually "No."
So far, none of the other card brands have changed their status.
It's unclear if others will follow suit, but regardless, if you are defined as a Level 2 merchant with ANY card brand, you are automatically a Level 2 with MasterCard, and are now required to have an on-site assessment.
Comments
Now if someone was to train the QSA's to be more then checkbox people and have no conflict of interest (selling products like wafs and additional services) then perhaps the it would not be a waste of money.
How about PCI give me my money back when I pass this stupid checkbox audit
Posted by: joe peretera | June 17, 2009 12:17 PM
Woh! Sounds like someone has had a very bad experience with a QSA!
Without turning this into a total sales pitch, remember, not all QSAs are the same. For example, our PCI Practice prides itself on vendor neutrality, and we do not have products to sell you to get to compliance. We can assist by way of providing services, but that in no way will dictate how your assessment will come out (meaning, you don't HAVE to use our services for us to validate you as compliant). We also know there are a few bad apples out there that hurt all QSAs, and the best thing you can do is go to the Council's website and fill out a QSA Feedback form (https://www.pcisecuritystandards.org/docs/qsa_feedback_form_-_client.doc). I have been assured that they are all taken seriously.
Our QSAs are security focused. We take a risk-based approach, where appropriate, and do not focus on check-box compliance. That does a disservice to our customers, and to the community. If you are interested to know more, please contact us at pci@verisign.com for more information!
Posted by: Branden Williams
|
June 17, 2009 12:25 PM
It is curious as to why MasterCard did not alert the QSA community about a change that will have such a dramatic impact. There wasn't even a notice on their website informing visitors that the requirements have changed and they just might want to check it out.
Did I miss something? Was there an anouncement made? If so how does one get on the anouncement list?
Posted by: Luis Porres | June 19, 2009 12:07 PM
Luis:
Great question! According to my sources, it appears that the banks (Acquiring from what I can tell) did know about this, but they may not have known when it was going to be public. With the exception of Visa (and this is a slim exception), the card brands do not have a good outreach program to all of the key stakeholders (such as QSAs) to discuss changes in their policies. Their expectation is that you check their website regularly for information updates (per the QSA Training).
Posted by: Branden Williams
|
June 19, 2009 12:26 PM
Branden;
Thanks for the insight. While I agree that the QSA should be checking the Card Brand Company websites for updates and the like, there is no guarantee that a change like this which could be buried several links deep would not be missed. Then we as QSAs are put into a difficult position with our clients, especially if they notice it first.
I do not think any QSA wants to here... How come you did not know about this, aren't you supposed to be the trained professionals?
Maybe we can bring this up at the Community Meeting this year and ask the Card Brand Companies if some kind of advance notification to QSAs can be possible.
Posted by: Luis Porres | June 25, 2009 11:19 AM