Tuesday, January 26, 2010

New MasterCard Rules for PCI

As many of you are already aware, MasterCard announced in early 2009, changes to Merchant PCI DSS validation requirements under its Site Data Protection (SDP) program. These changes were primarily related to 1) the ability for Merchants to utilize Internal Audit (IA) to conduct the annual onsite assessment and 2) the imposition of more stringent validation requirements for Level 2 Merchants.

In recent weeks, MasterCard has again updated its merchant validation requirements.


To summarize the updated MasterCard requirements:

- Level 1 Merchants may continue to utilize IA to perform the annual onsite assessment, as long as (effective June 30, 2011) the IA staff engaged in validating PCI DSS compliance attend PCI SSC-offered Merchant training programs and pass any PCI SSC associated accreditation program annually.

- Level 2 Merchants are permitted to continue to complete an annual onsite self assessment questionnaire. Alternatively, Level 2 Merchants may, at their discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA rather than complete an annual self-assessment questionnaire.

- Level 2 Merchants that choose to complete an annual self-assessment questionnaire must ensure that (effective June 30, 2011) staff engaged in the self-assessment attend PCI SSC-offered merchant training programs and pass any associated PCI SSC accreditation program annually.

We are working with our merchant clients to help them navigate the often complex and dynamic requirements associated with maintaining continued compliance with the PCI DSS.