Level 2 merchants do not need to obtain a QSA onsite assessment.
MasterCard has apparently reversed its decision earlier this year that required Level 2 merchants to hire a PCI-approved auditor complete an annual on-site data security assessment.
The credit card company made waves this summer when it increased PCI compliance requirements for merchants processing between one million and six million transactions annually. The first assessment was due by Dec. 31, 2010, but PCI expert Branden Williams writes in his blog that MasterCard backed off on the requirement. Evan Schuman of StorefrontBacktalk also writes about the company’s quiet change in plans
MasterCard did not immediately respond to a request for comment, but the company’s website indicates the change in requirement. Now, QSA-conducted onsite assessments are at the discretion of the Level 2 merchant. Williams notes that the company also is aligning its merchant levels with Visa.
The dropped on-site assessment requirement will save Level 2 merchants money, but Williams said the move is a step backward for MasterCard in pushing compliance.
“Those in the industry know that self assessments are great, but because some of them are completed by individuals without a core understanding of the PCI DSS regulations, the false positive and negative rates are much higher,” he wrote.