PCI DSS and level 2 merchants

[Brad Judy <win-hied () BRADJUDY COM>]

I hadn't seen this topic discussed on either of these lists yet, so I
thought I'd send out a note.  Forgive me for the cross-post, but it's a
topic right on the border of these discussion groups.

Earlier this month, MasterCard announced revised rules for PCI-DSS
compliance.  In particular, level 2 merchants are now required to have an
external QSA (qualified security assessor) perform an annual ROC (report on
compliance), rather than self assess.  Level 2 merchants are required to
have their first ROC by the end of 2010.

All of this brings up speculation about impact to merchants: will it
motivate more outsourcing to get below level 2, how much financial burden
does it bring, and how much non-compliance will it bring to light?  Then
there's the impact to assessors: how busy will QSA's be, will there be rapid
growth in the QSA market, and will the quality of QSA's be impacted
(assuming a lot of rookies are brought into play to cover the increased
needs)?

For tracking PCI issues in higher ed, the Treasury Institute has a nice blog
with RSS feed option here: http://treasuryinstitute.org/blog/

Worth noting is this blog posting (linked from the above blog) -
http://blogs.verisign.com/securityconvergence/2009/06/the_final_word_on_mast
ercards.php which mentions that the MasterCard level 2 definition includes
the level 2 definitions of other brands, meaning 50,000 American Express
transactions puts you into level 2.

And, never forget, that it's all about what your bank expects of you.  Make
sure you know what level your bank considers you, and what they expect from
you.

Brad Judy