"The noncompliance assessment structure now contains escalating assessments per violation within a calendar year," said the document sent to members earlier this summer. "Maximum assessments for initial noncompliance for Level 2 and Level 3 merchants have increased to $25,000 and $10,000, respectively. Furthermore, the $500,000 annual aggregate maximum for acquirer noncompliance assessments related to program noncompliance has been discontinued."
As for those escalations, MasterCard has grouped Levels 1 and 2 together. The first violation for those groups is $25K, jumps to $50K for the second violation, $100K for the third violation and $200K for the fourth. Level 3 retailers face first through fourth violation fines of $10K, $20K, $40K and $80K. Service providers that are ranked either Level 1 or Level 2 will see first through fourth violation fines of $25K, $50K, $100K and $200K.
Terri Quinn-Andry, Cisco's senior manager of PCI, said that she applauds MasterCard's new found openness and said that she hopes the new fines will be effective. But does she truly think it will have an impact? "I think if they truly enforce the fine structure, that will make a difference," she said. "Of course, we won't know that until 2011."
The document also confirmed reports of slightly more stringent rules for on-site assessments. "All Level 1 merchants that have engaged an internal auditor before 15 June 2009 must validate compliance with the PCI DSS via an annual onsite assessment conducted by a PCI SSC certified QSA by 31 December 2010," the document said. "Effective 31 December 2010, all Level 2 merchants must complete an annual onsite assessment conducted by a PCI SSC certified QSA."
The level 1 requirement had been merely that merchants' internal auditor could perform the assessment.