MasterCard announced a new requirement for Level 1 and Level 2 Merchants, mandating these two groups must use an authorized Qualified Security Assessor (QSA) to conduct a PCI DSS security assessment.
The requirement has a "due date" of December 31, 2010, meaning that each Level 1 and 2 merchant must submit proof of compliance filed by an authorized QSA by that date versus the date you would START working with a QSA.
Based on our experience validating PCI DSS compliance for Level 1 and Level 2 merchants over the past 5 years, achieving full compliance is not something to put off until sometime in 2010. Many large merchants required as much as 18+ months to get compliant and not one was accomplished in less than 10 months. Many of these merchants had already conducted their own internal PCI audit or completed SAQ's and had felt pretty good about their compliance program.
Larger merchants should begin a program with an authorized QSA as soon as possible, no matter how compliant you ‘think’ you are. If network and processes are in good shape, it could work out that you are done "early" for the MasterCard deadline – though chances are, you will need the time to prepare for a compliant PCI-DSS assessment.
Level 1 merchants are defined as those that store, transmit, or process more than 6 million MasterCard transactions/accounts per year and Level 2 are those that handle between 1 million and 6 million annually.
-Gary