According to the MasterCard website they are going to start requiring level 2 merchants to undergo a onsite QSA audit. This news comes to me via my friend and fellow blogger Martin McKeay over at the Network Security Blog. This is NOT good news for a lot of Level 2 Merchants because it means that they may well get caught in their dishonesty. It IS good news in that it will force the hands of many merchants to actually start implementing good security practices in areas where they may be currently lacking.

I know that there are lots of dissenting opinions out there regarding the effectiveness of PCI but I think that it really does make a difference. Especially when a merchant is required to validate that they are following the regulations. It’s easy to answer a bunch of questions and say that you are doing this and that but to really have to prove it is something else. Even if an audit only validates compliance at a particular point in time it still encourages and requires good security practices. Many companies are doing things that they would not do if they weren’t required to by PCI. I know that this sounds different that the tone that I took a few weeks ago in my “Compliance doesn’t really matter” post but it’s not. I still don’t like compliance as a driver for security but it is better than nothing.

Another good thing that will come out of this for many companies is that it will encourage them to document what they are doing and how they are doing it. Too many companies are doing many of the right things but they aren’t documented and if something happens to either the network or key personnel then valuable information may be lost and no one will know how to “fix” it. Things will have to be redesigned and reengineered. Documentation helps you see what you have and prevents (or at least reduces) duplication of efforts and implementing things that work against, instead of compliments, what you currently are doing. Not to mention that the best way to keep on your auditors good side is to provide him/her with good, accurate documentation. This makes their job easier and keeps them in a good mood.

So, all in all I think that this will be a good thing in the long run. Even thought I’m not crazy about having to go through another audit.