If you have a Level 2 merchant for Visa, they are also L2 for MasterCard. Under MasterCard's rules introduced this summer, L2s will need to complete an onsite assessment by a QSA. The original deadline was December 31, 2010.
As of yesterday, the new effective date is June 30, 2011. MasterCard is allowing 6 more months for Level 2 merchants and their processors to make the transition.
There's more.
The original requirement was for a QSA to prepare a Report on Compliance (ROC), but that, too, has been modified to give you an option of using your Internal Audit staff provided:
“[T]hat primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC-offered merchant training programs and pass any PCI SSC associated accreditation program annually in order to continue to use internal auditors.”
This means that while Level 2 merchants need an onsite assessment, they have the of using their Council-trained internal audit staff to conduct their onsite assessment if they choose.
The good news is MasterCard cut some major slack by moving back the effective date 6 months, and they re-instituted the option of having internal audit staff conduct the onsite.
I still have some open questions, and I'll continue to follow developments. For example:
- If an internal auditor performs the onsite, must they follow the same guidelines as a QSA in preparing the ROC?
- Can an internal auditor use an SAQ or even a simplified SAQ? The wording on the website is unclear.
- Will the Council review internal auditors’ ROCs (or SAQs) as they do with QSAs?
- Will Visa implement similar requirements?
I personally give lots of credit to MasterCard for listening to merchants (they didn't have to!) and being willing to respond to the needs of merchants and acquirers by extending the deadline. At least they gave more time for L2 merchants to respond and gave them the option of using their internal audit staff.
Now it is up to merchants and their acquirers to implement the changes smoothly.