As of December 31st, 2010, all merchants processing between one and six million MasterCard transactions annually will have to undergo a yearly on-site audit to confirm PCI compliance, according to the company’s Site Data Protection Program. MasterCard has yet to reply to queries regarding the reasoning behind this decision.
Lee Pierce of Security Metrics, a third-party PCI DSS auditing company, speculates that the change was made due to the increasing number of high profile security compromises that have occurred lately. Pierce expects an increase in call volume to Security Metrics and companies like it from the many Level 2 classified merchants who will now require their services.
This change will put a dent in the budgets of Level 2 merchants, who are presently only required to perform an annual self-assessment, but should ensure more comprehensive PCI DSS compliance. It is unclear at this time if other credit card companies will follow suit.
MasterCard’s website still states that Level 2 merchants are required to self-assess. It remains to be seen if this double requirement is apparent simply to ensure that some type of assessment is taking place until the date set for the onsite assessment change, or whether it will remain so to back up either party's compliance conclusions.
Comments