FINALLY!  An official statement from MasterCard!  Last night, MasterCard posted a four page FAQ on their website to help us deal with the onslaught of buzz that came from their original posting.  Some of it anecdotal and humorous (albeit literally true), some of it from this very blog.

Here’s the meat of what you need to know:

Streeter Seidell, Comedian, by Zach Klein

Streeter Seidell, Comedian, by Zach Klein

  • Level 1 merchants that engaged an internal audit team before 15 June 2009 must  validate compliance with a QSA by December 31, 2010.
  • Level 2 merchants must ALSO validate compliance with a QSA by December 31, 2010.
  • Internal assessments MAY NOT be performed.  The way that MasterCard words this, it appears to be a punt over to the Council.  If the Council would offer QSA training and certify employees of non-QSA companies, MasterCard may alter their position.
  • These deadlines do not alter a merchant’s (or service provider’s) annual anniversary date.
  • Merchants must be compliant with PCI DSS upon boarding.  Expect to provide a compliant ROC and AoC if this applies to you.
  • Level 2 merchants that currently fill out SAQ-A MAY STILL validate their compliance this way!  They DO NOT require an on-site assessment.
  • Merchants not compliant with PCI DSS will need to let their Acquirer know where they are in relation to the council’s Prioritized Approach document.  I’m not sure what MasterCard will do with this information, but as we’ve discussed before, where you fall on the prioritized approach may not be representative of the actual risk you carry.
  • Service provider changes don’t seem any different from what Visa has already enacted for the CISP program.

Items still outstanding:

  • If I accept 1 JCB card1, am I a Level 2 MasterCard merchant, thus require an on-site assessment even if I only accept 10,000 MasterCard transactions annually?
  • Level reciprocity is also clouded with American Express’s merchant levels… 50K transactions puts you at a Level 2.

According to the document, MasterCard originally communicated the new levels and program changes on June 15 (2 days prior to me posting about it), but only to Acquirers and Processors.  So this whole cluster begs the question… Did MasterCard learn anything?

Time will tell, but in order for MasterCard to avoid something like this in the future, they really need to communicate better to ALL of their stakeholders, not just their members.  All it would have taken is a quick run of the new program by a few key outsiders to point out some of the issues that have been addressed above, thus re-framing the new requirements and avoiding this mess.

This post originally appeared on

Possibly Related Posts:

  1. JCB only has 2 merchant levels []