On June 17, MasterCard® posted a change to its Site Data Protection program that requires Level 2 merchants to be validated by a Qualified Security Assessor (QSA) by December 31, 2010, as well as maintain its current process of submitting Self Assessment Questionnaires (SAQ). This is a dramatic change from the current, industry-wide requirement of self-assessment for merchants processing less than six million transactions annually.
With this short timeline, VeriSign echoes MasterCard's recommendation that Level 2 merchants have readiness assessments performed as soon as possible, preparing them for the on-site assessment that must be completed in 2010.(1) "VeriSign is offering up its vast experience earned from assisting Level 1 merchants becoming compliant with PCI DSS," said Branden Williams, director of the PCI Practice for VeriSign. "Level 2 merchants now facing an external assessment will be able to tap into this vast knowledge at a discounted rate."
The rule change does not only apply to merchants processing more than one million MasterCard transactions annually; this applies to any merchant classified as a Level 2 merchant from any other card brand. MasterCard defines that its Level 2 also includes "Any merchant meeting the Level 2 criteria of a competing payment brand." This means that if any other brand defines an organization as a Level 2 merchant, the organization is most likely now subject to this requirement.
"When in doubt, always ask your acquirer what is expected of you," said Williams. "Some acquiring institutions may still classify certain merchants at lower levels depending on the circumstances."
The VeriSign PCI Team is ready to assist all merchants with any PCI needs. VeriSign's PCI Practice is offering discounted PCI Assessment and Remediation Service fees (only) for Level 2 merchants if the work is booked by September 30, 2009.
To learn more about VeriSign PCI DSS Services or to inquire about the discount, email firstname.lastname@example.org or call +1 650-426-5310. Additionally, VeriSign has a whitepaper available that highlights key differentiators among QSAs and QSA vendors, visit https://entsecurity.verisign.com/forms/QSA090318 to download. For more information on the Master Card Merchant Level criteria, visit http://www.mastercard.com/us/sdp/merchants/merchant_levels.html.
(1) "MasterCard clarifies its new Level 2 requirements," Javelin Strategy & Research, June 22, 2009; accessed at http://www.javelinstrategy.com/2009/06/22/mastercard-clarifies-its-new-level-2-requirements/ on July 22, 2009
VeriSign, Inc. (