Staring Dec 31, 2010 companies that fall into this category, called Level 2, will be required to undergo an onsite review of their security controls by a MasterCard approved third-party assessor.

Presently, such merchants are only required to fill out a self assessment evaluating their compliance with MasterCard's Site Data Protection requirements. It's only the Level 1 merchants -- those processing more than 6 million cards annually -- that are currently required to do on-site assessments.

It is unclear immediately what might have prompted the change on MasterCard's part. Requests for comment from MasterCard were not returned.

MasterCard, Visa and the other major credit card companies currently require all companies that accept payment card transactions to comply with security requirements called the Payment Card Industry Data Security Standard, or PCI DSS. But each has its own standards for assessing compliance with PCI requirements.

The change marks one of the few instances where Mastercard has issued a security mandate ahead of Visa, which has generally been the most aggressive proponent of PCI.

Jim Huguelet, an independent PCI consultant in Bolingbrook, IL., said, "It remains to be seen if this represents a new trend of leadership on the part of MasterCard, and if not what specifically prompted MasterCard to make this change at this point in time."

The new rule looms at a time when there is a shortage of assessors to do on-site security assessments, Huguelet said. "I think one of the greatest impacts, if this is enforced, is increasing the demand for qualified security assessors," he said. "This will only further exacerbate the situation."

MasterCard's Web site still lists Level 2 merchants as requiring a self-assessment annually, Huguelet noted. "The industry needs an explanation as to what this means in practiceas having an audit by a qualified security assessor and completing a self-assessment would tend to be mutually exclusive," he said.

Avivah Litan, an analyst at Gartner Inc., said the timing of MasterCard's move is poor because it comes even as there is growing concern about the quality of the existing base of third-party assessors in the payment industry.

Until measures are taken to ensure better quality and standardization of third-party assessors and assessment practices, there appears to be little that is gained by requiring Level 2 merchants to undergo on-site evaluations, Litan said.