A little over a year ago Mastercard sent a shot over the bow of Level 2 Merchants when they informed them that they would have to undergo a PCI DSS audit by a qualified QSA auditor, or send internal IT staff to ISA training given by the PCI Security Standards Council. Level 2 merchants had been completing a Self-Assessment Questionnaire (SAQ) each year, and this represented a big step-up in the requirements.
Merchants scrambled to prepare for this new requirement which was due to take effect on June 30, 2011. A number of Level 2 merchants signed up early for the ISA training, and several training sessions were held in the US and Europe. Annual training and certification seemed more attractive than an on-site QSA audit to many merchants, probably because of the cost associated with an on-site audit. But I am guessing that the demand for ISA training out-stripped the availability of classes.
Mastercard just announced a postponement of the SDP ISA requirement:
“In June, 2011, MasterCard announced revisions to the SDP Program mandate by postponing the implementation date of the Level 1 and Level 2 merchant internal audit staff training and certification requirements until 30 June 2012. MasterCard has postponed the implementation date of the Level 1 and Level 2 merchant internal audit staff training and certification requirements to accommodate for the PCI SSC’s global rollout of the ISA Program and to provide Level 1 and Level 2 merchants in all regions with the opportunity to attend the ISA Program and pass the associated accreditation examination.”
The full announcement is here.
I believe that this announcement is a good faith action on the part of Mastercard to help merchants meet the requirement. We saw a similar action on the part of the State of Massachusetts when they delayed the implementation of their mandatory encryption requirements for consumer privacy. These requirements were eventually placed into effect and are now law. Level 2 merchants should not interpret this as a reprieve from having to meet these requirements. If you aren’t scheduled for ISA training, get registered now and don’t put it off! You are going to need to meet these requirements and the sooner you get the training done the better off you are going to be.
By the way, I’ve heard great reports on the training! It is practical and effective, and Level 2 merchants are reporting a lot of benefits from the training.