Wednesday, August 12, 2009

MasterCard New PCI Requirements Clarified

MasterCard has posted a 4-page FAQ on its website describing the recent changes to its Site Data Protection (SDP) program. I've blogged about this previously, but now we have some details (with thanks to Branden Williams again).

Here is my take on what it means to you. I'll focus on Level 2 merchants since that is where the changes are.
  • If you are a Level 2 merchant, you now need to hire a QSA to conduct and complete an onsite data security assessment by December 31, 2010, and repeat it annually. Forget the idea of using you internal auditors - that option no longer exists. It appears MasterCard has figured out ("I'm shocked, SHOCKED...") that maybe some merchants were a little too liberal with checking the "in place" column in their SAQs.

  • Interestingly, if a L2 merchant outsources their processing to a validated processor, and the merchant would have previously qualified to validate their own compliance with SAQ A, then according to the FAQ they can continue to do so. The rationale is that since the processor has an onsite data security assessment, that covers the requirement. That one sounds like it might be a little inconsistent to me, but I'll leave it to the folks at MasterCard and the acquirers to work it out.

  • There is an interesting point in the FAQ about "newly acquired merchants." MasterCard seems to be taking a page from Visa's playbook and requiring that acquirers only "board merchants that are PCI compliant." So much for shopping around and changing acquirers to avoid compliance...
There's more in the FAQ, but the message is clear. If you are a Level 2 merchant, it's time to start looking for a QSA, which you can do by following this link to the PCI Council's website.

BTW, the FAQ says all this information went out to MasterCard acquirers on June 15. Hmmm...let's see...it's now August and people are just finding out about this. But of course, all of you heard about this in June from your acquirer, right...?

No comments:

Post a Comment