Level 2 Merchants Required to Have On-Site Assessment by QSA

On June 15, 2009 MasterCard International introduced several changes to their Site Data Protection (SDP)program. Among these changes was a new requirement for Level 2 Merchants to undergo an on-site assessment by a Qualified Security Assessor in order to validate their PCI DSS compliance. The initial deadline for these validations is December 31, 2010.

MasterCard has posted a change to their Site Data Protection program that requires Level 2 merchants to use a QSA and an on-site assessment. This is a dramatic change from the current, industry wide requirement of self-assessing for merchants processing less than six million transactions annually.

While this is definitely going to put a dent in Level 2 merchant budgets from this point on, there have been a number of breeches involving larger merchants and creating higher risk for the card brands. This is not an unexpected move by MasterCard and so far none of the other card brands have changed their status. It’s unclear if others will follow suit, but regardless, if you are defined as a Level 2 merchant with ANY card brand, you are automatically a Level 2 with MasterCard, and are now required to have an on-site assessment.

Previously, Level 2 Merchants were required to submit an Annual Self-Assessment Questionnaire and undergo Quarterly Network Scans by an Approved Scan Vendor (ASV).