The MasterCard SDP Program has essentially made changes that now require Level 2 Merchants to have an annual on-site review of their security controls by a Qualified Security Assessor (QSA) for purposes of complying with PCI DSS. Let me state for the record, as a QSA, this is big news. There are now scores of Level 2 Merchants that cannot “Self Assess” anymore, thus having to comply with an actual on-site assessment by a QSA. And to be fair, can you really blame MasterCard when the chatter of late has been that most merchants simply “check the box” on their self-assessment, not giving it much though or due care. Well, not any more as Level 2 Merchants will now need to be prepared to face the rigors of an annual on-site assessment.
My advice, find a competent, cost-effective QSA who really knows what he/she is doing. Second, engage with a Qualified Security Assessor Company (QSAC) to conduct a PCI DSS Readiness Assessment for determining how “ready” your organization is for actually undertaking an annual on-site assessment. They take time to complete and require resources, to say the least.
If you want to learn more about PCI DSS, visit the Official PCI DSS Resource Guide.