Educause Security Discussion mailing list archives
PCI DSS and level 2 merchants
From: Brad Judy <win-hied () BRADJUDY COM>
Date: Fri, 26 Jun 2009 14:12:31 -0400
I hadn't seen this topic discussed on either of these lists yet, so I thought I'd send out a note. Forgive me for the cross-post, but it's a topic right on the border of these discussion groups. Earlier this month, MasterCard announced revised rules for PCI-DSS compliance. In particular, level 2 merchants are now required to have an external QSA (qualified security assessor) perform an annual ROC (report on compliance), rather than self assess. Level 2 merchants are required to have their first ROC by the end of 2010. All of this brings up speculation about impact to merchants: will it motivate more outsourcing to get below level 2, how much financial burden does it bring, and how much non-compliance will it bring to light? Then there's the impact to assessors: how busy will QSA's be, will there be rapid growth in the QSA market, and will the quality of QSA's be impacted (assuming a lot of rookies are brought into play to cover the increased needs)? For tracking PCI issues in higher ed, the Treasury Institute has a nice blog with RSS feed option here: http://treasuryinstitute.org/blog/ Worth noting is this blog posting (linked from the above blog) - http://blogs.verisign.com/securityconvergence/2009/06/the_final_word_on_mast ercards.php which mentions that the MasterCard level 2 definition includes the level 2 definitions of other brands, meaning 50,000 American Express transactions puts you into level 2. And, never forget, that it's all about what your bank expects of you. Make sure you know what level your bank considers you, and what they expect from you. Brad Judy
Current thread:
- PCI DSS and level 2 merchants Brad Judy (Jun 26)