Branden Williams, on his VeriSign Security Convergence Blog posted that MasterCard is now going to require that all Level 2 merchants use a QSA to perform an onsite assement of their Site Data Security.  This is a HUGE departure from the previous requirement of an in-house "self-assessment" of their Site Data Protection programs.  So, with that, all I have to say is:

Attention:  All Level 2 eMerchants! (greater than 1 Million, but less than 6 Million transactions annually)  Based on the fact that HomeATM is already PCI 2.0 PED certified, should you incorporate our "swipe vs type" payment methodology, you would be effectively removed from the scope of PCI.  Problem solved, money saved, security improved. 

NEWS FLASH: MasterCard Requires On-Site QSA for Level 2 Merchants
Thanks to Smiley for the tip!

MasterCard has posted a change to their Site Data Protection program that requires Level 2 merchants to use a QSA and an on-site assessment. This is a dramatic change from the current, industry wide requirement of self-assessing for merchants processing less than six million transactions annually.

While this is definitely going to put a dent in Level 2 merchant budgets from this point on, I truly believe that this is a smart move by MasterCard. Level 2 merchants are extremely significant in size, many of which being household names. Unfortunately, PCI self-assessments are typically poorly handled simply due to the complexity of the standard and lack of training provided to those individuals performing the assessment. When our folks are contracted to review these, we typically find that a previously fully in-place Self Assessment Questionnaire is only about 70% accurate. Meaning, that 30% of the items answered "Yes" or "N/A" are actually "No."

Continue Reading 

MasterCard, PCI, QSA, Level 2 merchants, On-Site QSA, HomeATM