Mastercard Specific Policy and Recommendations

September 20, 2022
a. It is “highly recommended” that the entity engage a Qualified Security Assessor (QSA) for the completion of the form. This means that to complete the Prioritized Approach, an onsite review is not required. However, an onsite review is required to confirm compliance and provide the Attestation of Compliance (AOC). This will give the entity an opportunity to provide an accurate and detailed self-assessment, within the Prioritized Approach, while actively searching for a QSA to complete a full onsite review before the proposed target date.
b. The target dates for compliance, in relation to any area of deficiency, must be adhered to. Noncompliance with the dates indicated in the Prioritized Approach may result in the application of noncompliance assessments.
c. An entity declaring themselves as compliant in any of the noted areas may be subject to a noncompliance assessment if it is subsequently found, during an onsite review, that there are deficiencies within that section. During the onsite review, Mastercard must receive an immediate update noting any new areas of concern in addition to a new/updated target date for compliance.
d. Mastercard must receive an AOC from a QSA, on or before the latest target date. All areas of deficiency must be corrected and deemed PCI compliant by the contracted QSA.
e. Mastercard may allow a maximum compliance target date of one year from the date of the Prioritized Approach submission. One year is adequate time for an entity to engage a QSA, correct areas of deficiency and become fully compliant with the PCI DSS. Therefore, if the entity has not engaged a QSA at the time they complete the Prioritized Approach, it is highly recommended that they do so in the immediate future. Lead times for corrective action, to any previously unknown deficiencies identified by a QSA review, should be considered. Mastercard will not grant extensions for compliance beyond the one year maximum target date.