Branden Williams, on his VeriSign Security Convergence Blog posted that MasterCard is now going to require that all Level 2 merchants use a QSA to perform an onsite assement of their Site Data Security.  This is a HUGE departure from the previous requirement of an in-house "self-assessment" of their Site Data Protection programs.  So, with that, all I have to say is:

Attention:  All Level 2 eMerchants! (greater than 1 Million, but less than 6 Million transactions annually)  Based on the fact that HomeATM is already PCI 2.0 PED certified, should you incorporate our "swipe vs type" payment methodology, you would be effectively removed from the scope of PCI.  Problem solved, money saved, security improved. 
(also provides additional significant benefits such as replicating "card present" environment and "true" PIN Debit Interchange rates,)

Here's an excerpt from Branden's blog post: 

Branden Williams' Security Convergence Blog: NEWS FLASH: MasterCard Requires On-Site QSA for Level 2 Merchants
NEWS FLASH: MasterCard Requires On-Site QSA for Level 2 Merchants
Thanks to Smiley for the tip!

MasterCard has posted a change to their Site Data Protection program that requires Level 2 merchants to use a QSA and an on-site assessment. This is a dramatic change from the current, industry wide requirement of self-assessing for merchants processing less than six million transactions annually.

While this is definitely going to put a dent in Level 2 merchant budgets from this point on, I truly believe that this is a smart move by MasterCard. Level 2 merchants are extremely significant in size, many of which being household names. Unfortunately, PCI self-assessments are typically poorly handled simply due to the complexity of the standard and lack of training provided to those individuals performing the assessment. When our folks are contracted to review these, we typically find that a previously fully in-place Self Assessment Questionnaire is only about 70% accurate. Meaning, that 30% of the items answered "Yes" or "N/A" are actually "No."

Continue Reading 


, , , , ,

Posted by John B. Frank Thursday, June 18, 2009

0 comments

Payments Industry News Blog

Search the PIN Debit Blog by Subject

Kapersky Calls for Mass Adoption of Card Readers

Kapersky Calls for Mass Adoption of Card Readers