Commerce bank card 2, by The Consumerist

Commerce bank card 2, by The Consumerist

On Wednesday, we discussed MasterCard’s new requirement for Level 2 merchants to have an on-site assessment performed instead of submitting the Self-Assessment Questionnaire (see the final word here).  This news prompted a flurry of information around the new requirement and has merchants asking lots of questions.

I clarified a couple of items from my last post and wanted to make sure they were clear.

  1. MasterCard’s 2010 deadline is more of an end to submitting SAQs as opposed to a deadline to be validated by a QSA.  This means that Level 2 merchants will continue to be able to submit SAQs until December 31, 2010, after which they will need to have the on-site assessment, performed by a QSA.
  2. The On-Site assessment must yield a Report on Compliance (ROC), NOT a SAQ.  Effectively, Level 1 & 2 merchants will have the exact same reporting requirements for PCI.
  3. This does not apply only to merchants processing more than 1 million MasterCard transactions annually, this applies to any merchant classified as a Level 2 merchant from any other card brand.  MasterCard defines that their Level 2 also includes  “Any merchant meeting the Level 2 criteria of a competing payment brand.”  This means that if any other brand defines you as a Level 2 merchant, you are now subject to this requirement.

I hope you all have a chance to ponder that over the weekend, and we’ll catch you next week for more security fun!

Update: MasterCard has the FLIP FLOPS!  Check their retraction here.

This post originally appeared on

Possibly Related Posts: