It’s been a little over a week now since MasterCard tool the PCI world by surprise and changed their reporting requirements for Level 2 merchants. Whether you are currently a Level 1 or Level 2 merchant, these changes affect you. Here’s the summary and rundown.
MasterCard posted a change to their Site Data Protection program that requires Level 2 merchants to use a QSA and perform an on-site assessment before December 31, 2010. In addition, Level 1 merchants that were previously self-assessing may not self assess anymore, and must use a QSA for their PCI Assessments. This is a dramatic change from the current, industry wide requirement of self-assessing for merchants processing less than six million transactions annually, and allowing merchants that process more than six million transactions annually self assess if they choose.
So far, none of the other card brands have changed their status; however, if you have a business unit defined as a Level 2 merchant with any card brand, you are automatically a Level 2 with MasterCard and are now required to have an on-site assessment. Below are a few clarifying points around the change to the levels from an inside source.
- Level 1 and 2 merchants MAY NOT self assess anymore. They must use the services of a QSA to complete their assessment ((still awaiting final confirmation on this)).
- Level 2 merchants must be validated by a QSA prior to December 31, 2010, as well as maintain their current process of submitting a Self Assessment Questionnaire (SAQ). MasterCard’s intent is to use the next eighteen months as a transition period ((VeriSign can provide both deliverables for you at the same time)). With this short timeline, VeriSign (and MasterCard) recommends that Level 2 merchants have readiness assessments performed immediately to prepare them for any remediation required to be completed before the on-site assessment in 2010.
- The on-site assessment must yield a Report on Compliance (ROC), NOT an SAQ. Effectively, Level 1 & 2 merchants will have the exact same reporting requirements for PCI.
- This does not only apply to merchants processing more than one million MasterCard transactions annually; this applies to any merchant classified as a Level 2 merchant from any other card brand. MasterCard defines that their Level 2 also includes “Any merchant meeting the Level 2 criteria of a competing payment brand.” This means that if any other brand defines you as a Level 2 merchant, you are now subject to this requirement. For example, did you know that according to these rules anyone processing more than 50,000 American Express Card transactions per year is now subject to this requirement? Some of us are hearing that even though American Express Level 2 merchants would technically have reciprocity with MasterCard, they are not requiring their Level 2 merchants to go through this process.
Parts of this may not be as relevant to some Level 1 merchants, after Visa clarified their expectations of what makes up a Level 1 merchant earlier this year. If you are a Level 1 merchant in one country or region, and are also a merchant of a lesser level elsewhere in the world but share data with (or are connected to) the Level 1 merchant operations, all operations should be treated as a Level 1 and reported that way.
For example, Garrett’s Gas Guzzling Garage operates 800 car repair locations across the United States. Garrett’s recently opened twenty locations in Mexico City to help maintain and upgrade the fuel efficiency of older cars with a patented fuel particalizer. Even though the twenty Mexico locations process through Bancomer locally, the data is shared with the US Headquarters for settlement, reconciliation, and analysis. According to Visa’s rules, the Mexican entity is considered a Level 1 based on its relationship with the parent, and a Level 1 assessment must be performed.
When in doubt, always ask your acquirer(s) what is expected of you. Some acquiring institutions may still treat certain subsidiaries as lower levels depending on the circumstances.
Regardless, your PCI Team is ready to assist you with any new PCI needs that you may have! Click here to email us to get in touch with one of our seasoned QSA consultants!
Update: MasterCard has the FLIP FLOPS! Check their retraction here.
Possibly Related Posts:
- PCI DSS 4.0 Released plus BOOK DETAILS!
- PCI Council Loses $600K in Revenue, PO Population on the Decline
- Why PCI DSS 4.0 Needs to be a Complete Rewrite
- Equifax is only half the problem, your SSN needs a redesign!
- Orfei Steps Down