MasterCard Revises Level 2 Merchant PCI Measure

Merchants processing from 1 million to 6 million MasterCard transactions no longer have to meet a Dec. 31, 2010, deadline to have a third-party security assessor perform an onsite assessment of their payment networks for compliance with Payment Card Industry data security standards unless they want to do so voluntarily, according to a MasterCard spokesperson. This is a reversal from a policy MasterCard contained in an Aug. 17 Site Data Protection program document that would have required such so-called Level 2 merchants to pay for a qualified security assessor to audit their compliance by Dec. 31, 2010. Now MasterCard has moved the compliance deadline to June 30, 2011, and made the onsite assessment optional. Level 2 merchants will be required annually to complete a self-assessment questionnaire and perform quarterly network-security scans of their systems. Merchant employees completing the self-assessments must have completed Payment Card Industry Security Standards Council training and pass the council’s accreditation program, according to a MasterCard Dec. 15 Global Security Bulletin. The Aug. 17 summary of changes to MasterCard’s Site Data Protection program said the earlier change was designed to aid the “consistent application and implementation of [data security-standard] requirements.”