I saw your answer on PCI Level 2 self-assessments, and I had a follow-up question: Doesn't MasterCard require that...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
an ISA fill out the PCI self-assessment for a Level 2 merchant? If so, how do we deal with that?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The first option is that Level 2 merchants may, if they choose to, hire a Qualified Security Assessor (QSA) to complete their annual assessment. The QSA will issue a report on compliance (ROC), just as they would for a Level 1 merchant, and submit it to the organization's merchant bank. This option may be desirable for merchants who border on Level 1 status and wish to have an ROC in hand. It also may be useful for merchants who do not have an Internal Security Assessor (ISA) on staff and do not wish to invest in the training required to certify a staff member as an ISA. The downside with this approach, of course, is that hiring a QSA to complete a ROC can be a very expensive undertaking.
The second option available to Level 2 merchants is to continue to perform a self-assessment, as done previously. However, as you point out, there's a new twist: The individual(s) performing the assessment must attend the PCI Security Standard Council's ISA training program (online or in person) and pass the certification exam. This program is $1,495 for PCI SSC Participating Organizations and $2,595 for nonmembers. Current ISAs must take an annual online refresher course for $995.
The bottom line is that merchants classified as Level 2 by MasterCard now have one extra hoop to jump through. The quickest way to satisfy the requirement is to grit your teeth, shell out a couple thousand dollars and send a member of your team to ISA training.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Cloud compliance issues are no reason for enterprises not to move to the cloud. Expert Mike Chapple explains why, as well as what to keep in mind ...continue reading
The GAO reported on SEC cybersecurity weaknesses, even though the SEC regulates cybersecurity. Expert Mike Chapple discusses the effects of this ...continue reading
Enterprise compliance can be a burden to manage, which is where a PCI ISA can be helpful. Expert Mike Chapple explains how a PCI Internal Security ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.