I have had some clients contact me in the last couple of weeks regarding MasterCard’s Site Data Protection (SDP) program. Specifically, what is MasterCard’s position regarding Level 2 merchants generating a Self Assessment Questionnaire (SAQ)? All of these merchants intend to conduct their own SAQ but wanted to make sure that was still acceptable under the MasterCard SDP rules. Last year there was a lot of confusion since MasterCard pulled back on their decision to require Level 2 merchants to have a QSA conduct an on-site PCI assessment. However, I thought the new rules were straight forward and did not realize that there could be confusion until I started getting questions.
If you go to the MasterCard Web site and to the Merchant Levels Defined page, you will see the following information regarding Level 2 merchants. Under the column “Onsite Assessment”, MasterCard states that it is under the merchant’s discretion with a reference to footnote number two. Under the “Self Assessment” column, it says that the self assessment is required annually and also references the number two footnote. Footnote two states the following.
“Effective 30 June 2011, Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC-offered merchant training programs and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA rather than complete an annual self-assessment questionnaire.”
The key date to remember is June 30, 2011. In my humble opinion and based on previous PCI pronouncements, if you can get your SAQ effort started before June 30, 2011, you can do it internally with any staff you choose. However, from June 30, 2011 and forward, Level 2 merchants that wish to do an SAQ must use personnel that have attended and pass the PCI SSC Internal Security Assessor (ISA) program annually. To be safe, I would confirm your plans with your acquirer before you start just to ensure that you are not going to get in trouble when you submit your SAQ.
Where things get confusing is MasterCard’s use of the phrase “at their own discretion” in describing their alternative. The reason I think this is confusing is that their alternative seems to be hardly discretionary. As near as I can tell, if a merchant does not have their staff attend and pass the PCI SSC’s ISA training annually, then the merchant is required to have a QSA conduct an annual on-site assessment (code words for a Report On Compliance or ROC). In my book, that seems hardly discretionary. That is an either you do it one way or you do it another way, but you are going to pick one. I suppose MasterCard is trying to soften the blow by indicating that it is up to the discretion of the merchant which option they choose.
In the end, there is hardly a nice choice. ISA training is not exactly cheap and, for most merchants, requires travel in addition to the cost of the training, let alone making sure that a merchant has staff capable of passing the ISA course and conduct such an assessment. And that is an annual cost, not just a one-time expense. I am also sure that ISAs will have to keep work papers meet other requirements that QSAs are required to meet, so there is more work and costs. Then there is the cost of a QSA conducting an on-site assessment which is also not cheap. It will all come down to the type of SAQ that the merchant would fill out. However, I have to admit, that most Level 2 merchants would end up with SAQ D which is not exactly a small task to complete. Which is why we have always referred to SAQ D as “ROC Lite.”
So it appears that Level 2 merchants that take MasterCard are damned if they do, and damned if they do not. Pick your poison my friends.