self assessment

MasterCard SDP Program | Attention Level 2 Merchants | PCI DSS

The MasterCard SDP Program has essentially made changes that now require Level 2 Merchants to have an annual on-site review of their security controls by a Qualified Security Assessor (QSA) for purposes of complying with PCI DSS. Let me state for the record, as a QSA, this is big news. There are now scores of Level 2 Merchants that cannot “Self Assess” anymore, thus having to comply with an actual on-site assessment by a QSA. And to be fair, can you really blame MasterCard when the chatter of late has been that most merchants simply “check the box” on their self-assessment, not giving it much though or due care. Well, not any more as Level 2 Merchants will now need to be prepared to face the rigors of an annual on-site assessment.

My advice, find a competent, cost-effective QSA who really knows what he/she is doing. Second, engage with a Qualified Security Assessor Company (QSAC) to conduct a PCI DSS Readiness Assessment for determining how “ready” your organization is for actually undertaking an annual on-site assessment. They take time to complete and require resources, to say the least.

If you want to learn more about PCI DSS, visit the Official PCI DSS Resource Guide.

PCI DSS Compliance for Merchants | A Self-Assessment could be a thing of the Past

PCI DSS Compliance for merchants is a hot topic indeed as witnessed by the large and ever growing number of businesses having to comply with PCI DSS. And to be fair, the vast majority can “self-assess” for compliance by answering a series of questions from a specified “Self Assessment Questionnaire” (SAQ) document obtained at www.pcisecuritystandards.org.

But lurking beneath are a number of variables, issues and hot topics possibly resulting in many more merchants having to undertake an actual dreaded on-site PCI DSS assessment by a Qualified Security Assessor (QSA) instead of simply filling out a Self-Assessment Questionnaire.

For one, the Self Assessment Questionnaires are starting to become seen as nothing more than a check the box answer, with little or no efforts taken by the merchants to truly secure their cardholder data environment. Unfortunately, many merchants have come to symbolize the phrase “self assess” as a meaningless document which is nothing more than a burden to their businesses. Merchants beware, as the major payment brands, acquirers and other interested parties (i.e., state legislative bodies) are seeking to change this. MasterCard recently made changes to their Merchant level requirements, which to say the least, could potentially impact a large number of merchants. Add to the fact the payment processors, gateways and customers alike are now starting to ask more and more about PCI compliance from organizations they do business with.

If you want to learn more about PCI DSS compliance, visit the official PCI Resource Guide.