Earlier this year, MasterCard issued a somewhat radical change for their SDP program stating that Level 2 Merchants had to have an onsite assessment by a QSA by the end of 2010 as stated here.
However, this hokey pokey move put the Level 2 Merchants “in” the same boat as Level 1 merchants significantly upped the ante. First of all, it would certainly mean an increased cost for their PCI program by requiring an audit. But more importantly, many of these merchants would no longer be able to just claim they are following PCI via an SAQ form but would now have to prove it to an auditor. That really was the alarming part.
Needless to say, MasterCard got a lot of complaints from merchants and even banks. So, they did the hokey pokey and put their Level 2 Merchants back “out” – at least partly. Now they have moved the date back to mid 2011 and they have conceded that the SAQ can still be done, only now the company must send an employee to training before that employee can perform the SAQ.
On a positive note, this was a wake up call for Level 2 Merchants to enforce the understanding that no matter what size they are, compliance is really to the PCI DSS in full – not just filling out a form.
As far as the banks, who really need to absorb these positions and communicate them back to the merchants, we are still waiting to see how they consistently position this. For example, will the person trained also have to sign the SAQ? Are they liable for a breach? Will the annual test be the same as the QSA? Do they need to have cyber liability insurance like a QSAC needs to? How will there be enough training sessions to cover all the Level 2 Merchants?
Ultimately, this still leaves the merchants with the decision of whether it’s more valuable to pay someone internally to go to training or engage a QSA to perform an onsite assessment. The burden to be compliant is the same, but clearly a QSA has more experience. Given the number of breaches that still occur, one would hope that merchants want their program evaluated with the most due diligence.