(December 23, 2009) MasterCard Inc. is changing a controversial policy, and pushing back a deadline, that it announced only six months ago regarding enforcement of the Payment Card Industry data-security standard. With the changes, which involve assessing computer systems for PCI compliance, MasterCard could be viewed as responding to valid complaints after first disclosing the planned changes, or it could be viewed has having done a flip-flop. Or both at the same time.Continue Reading at Digital Transactions News
In June, MasterCard adopted a new policy governing whether big merchants can do so-called self-assessments of their PCI compliance. The new policy applied to so-called Level 2 merchants, those submitting 1 million to 6 million total MasterCard and Maestro (PIN-debit) transactions annually, and Level 1 merchants, those submitting more than 6 million transactions. MasterCard previously had let Level 2 merchants to do annual self-assessments for PCI compliance unless they brought in a Qualified Security Assessor (QSA) certified by the PCI Security Standards Council for an on-site assessment. But come Dec. 31, 2010, MasterCard planned to require that all Level 1 and, for the first time, Level 2 merchants, use a QSA for the annual on-site PCI assessment.
That policy generated many complaints from Level 2 merchants, who security experts say would have to pay anywhere from $100,000 to $1 million for a QSA’s services. MasterCard’s policy also diverged from Visa Inc.’s, which lets Level 2 merchants do self-assessments. Many observers also wondered whether there were enough QSAs to go around to handle all the new work from Level 2s.
This month, however, MasterCard pushed back the deadline by six months, to June 30, 2011. And instead of requiring use of a QSA, MasterCard will let Level 2 merchants do the assessments themselves provided they have staff attend merchant-training courses offered by the PCI Council, and each year pass a PCI Council accreditation program. Level 2 merchants are free to use QSAs if they wish. Come June 30, 2011, Level 1 merchants can use an internal auditor provided the audit staff has PCI Council training and annual accreditation. MasterCard also said its definitions of merchant levels now match Visa’s, so, for example, if a merchant is a Level 2 merchant in Visa’s eyes, it’s also one in MasterCard’s eyes.
0 comments