Posted by Ed Welsh, Director, Security & Compliance on July 24, 2009 5:57 PM
Level 2 merchants that accept MasterCard payment cards can no longer get by with just completing a Self-Assessment Questionnaire. Starting December 31, 2010, they will need to use a Qualified Security Assessor (QSA) to perform an on-site assessment of PCI DSS compliance. Additionally, some states are beginning to put PCI compliance into actual law.
The collective groan from affected businesses can probably be heard as far away as Saturn, and budgets are definitely not prepared for the costs. Getting an assessor on-site is not all that expensive, but the correlated technical and process development costs to support a QSA-based assessment can be staggering. However, while the initial cost will negatively affect businesses, especially in this economy, the long-term security of financial data will ultimately benefit everyone. By definition, a Level 2 handles up to six million transactions a year, opening up a lot of potential for theft and misuse, and you need to be ready to prevent it.
So, if you are a Level 2 merchant, engage your QSA early, long before December 2010. Estimates put the number of Level 2 merchants at four times the number (2,000) of Level 1 merchants (500). This means the QSAs' workload just increased significantly. Also, when you do meet with a QSA, pay attention to his or her instructions for reducing scope. It will pay off when the QSA is required to come back next December.
Of course, GSI provides a great method for reducing scope and implementing the security technicalities. Come see us -- we can help.
Find out more about how GSI addresses PCI compliance.
Further Reading
MasterCard - Merchant Levels Defined