As you may recall, MasterCard International revised their Site Data Protection (SDP) program earlier this year to require Level 2 merchants to conduct an on-site assessment of PCI compliance, aka Report On Compliance (ROC). On December 15, MasterCard released a bombshell on their Level 2 merchants by backing away from the ROC requirement. However, this change overshadows some other significant changes that you need to be aware.
For most, the big news in the December 15 pronouncement was that, effective immediately, MasterCard has gone back to only requiring Level 2 merchants to fill out a Self-Assessment Questionnaire (SAQ) instead of a ROC. This was somewhat anticipated after Visa did not change their merchant level reporting requirements accordingly. Conducting a ROC is now optional.
The original move by MasterCard was to try and level the playing field since MasterCard typically has fewer transactions than Visa at most merchants. MasterCard was trying to reduce their risk by getting their Level 2 merchants that would likely be Level 1 if the merchant’s Visa transactions were aggregated with their MasterCard transactions to do a ROC instead of an SAQ.
The biggest and probably the best news in my opinion is that, as of June 30, 2011, any Level 1 or Level 2 merchants that want to create their ROC or SAQ using their internal audit staff are now required to have those personnel attend PCI SSC training and become certified in the ROC or SAQ process. As a QSA that has come into an organization a year or two after companies have conducted their own assessment and created their ROC, I can tell you that without training, internal auditors are not equipped to conduct such a project. The biggest issue they have is that they do not interpret the PCI DSS correctly because they have not been given the insight that QSAs are given at training. While this might be a potential threat to my livelihood, I applaud MasterCard for mandating this requirement.
However, there is a twist in the directive. MasterCard states that if Level 2 merchants do not get their internal audit staffs trained and certified in approved PCI SSC programs, then their SAQ or ROC must be completed by a QSA. So, while MasterCard backed away from the mandatory ROC for Level 2 merchants, Level 2 merchants either train their internal audit staffs or use a QSA. So my livelihood may not be as adversely affected as I may have thought.
And finally, as of July 1, 2012, all merchants and service providers that use third party developed software can only use that software if it is PA-DSS compliant. Let us be clear, this is only relevant to third party developed software, not software that is developed in-house. However, MasterCard seems to have created a potential issue depending on how they define ‘third party’. I am assuming that MasterCard is referring to third parties such as Micros, Oracle, IBM and similar software vendors that sell point-of-sale (POS) solutions and not the hired consultant that creates an eCommerce Web site for the local donut shop. However, this definition needs to be clarified by MasterCard so that we are all on the same page.
UPDATE: The PCI SSC’s Web site indicates that they will be offering training to basically anyone willing to pay for it. The 2010 Training Schedule is supposed to be released on Friday, January 15. So keep checking their Web site for the training schedule.