Mastercard has backed off on eliminating self assessment by level 2 merchants and requiring QSA assessment (vs. merchant internal audit) for level 1 merchants. Merchant staff will be required to attend PCI SSC training and get PCI SSC accredited.

http://blog.nrf.com/2009/12/21/mastercard-revises-assessment-requirements-for-pci-compliance/

http://www.mastercard.com/us/sdp/merchants/merchant_levels.html

If you further read the pronouncement, Level 1 and Level 2 merchants that do not get their internal audit staffs trained and certified by the PCI SSC are required to use a QSA to do their ROC or SAQ. So, while Level 2 merchants do not have to do a ROC, they either have to train and certify their internal audit personnel or hire a QSA. I don't think those Level 2 merchants necessarily gained that much.

The Council will not train and certify non-QSA companies, right? So how is this a benefit to the merchant if they can not train their own staff as QSAs in order to ensure their ROC is accepted by their payment processors?

Apparently, the PCI SSC will be training and certifying non-QSAs. It is my understanding that there was some training last year for some of the larger Participating Organizations (PO) that had requested such training. I'm not sure if the PCI SSC will require organizations that desire such training to become POs, but they might.

My company is a PO, so either way, that is good news. As a level 1 merchant, my hope would be that you are able to conduct the yearly assessment and submit the ROC if your processor/acquirer agrees to accept an internal QSA assessment. I believe as the owner of PCI compliance, that I perform a better pre-assessment than the hired QSA.

My company is a PO, so either way, that is good news. As a level 1 merchant, my hope would be that you are able to conduct the yearly assessment and submit the ROC if your processor/acquirer agrees to accept an internal QSA assessment. I believe as the owner of PCI compliance, that I perform a better pre-assessment than the hired QSA.
Having worked in IT for a couple of large merchants I agree. Having internal auditors on our teams up front in the development cycle got security issues covered early. Its a ton easier to have that person in on regular meetings or impromptu discussions when they live down the hall. And they understand the company systems without a lot of getting them up to speed.

There is an announcement on the PCI SSC Web site that indicates that they are going to be training non-QSAs.

I've actually attended that training (along with Visa's course, the CPISM/A material, and anything else I could attend) and In Las Vegas it was mentioned that the PCI SSC may be looking at a certification for merchants that is basically a Qualified Merchant Program Manager, or some such.

For my $ the CPISM / A course is hands-down the most thorough and should be the base course anyone in a mechant organization takes (because it deals with a lot more than just PCI).

The other training should come later because it is helpful to hear the first-hand interpretations of the material (as well as how the brand's perspective differs), but that's just my opinion.