Thanks to a fellow reader for pointing this out! It appears that MasterCard and Visa (sorta) have removed the reciprocity statements from their level definitions. Discover still has the reciprocity statement on their levels, American Express and JCB never used reciprocity for their level definitions (to my best recollection).
Several industry insiders have been told that it was never the intent of MasterCard to force a merchant that accepts a single JCB card to go through an on-site assessment if they did not meet the MasterCard threshold. Now it appears that this is the case as the official merchant level definitions reflect exactly this.
Unfortunately, the road does not end there. In fact, it starts forking like crazy.
Now that reciprocity is gone, you have to take each card brand’s volume INDIVIDUALLY in order to determine your level and requirements. As you know, each brand may end up with different validation requirements depending on where you fall in the spectrum. For example, a merchant processing 2,000 Discover, 2 Million MasterCard, and 50,000 non-ecommerce Visa transactions annually is considered a level 2 with MasterCard & Discover, and a level 4 with Visa. This means they must have an on-site assessment thanks to MasterCard’s program (facing fines if you don’t) and submit a SQL to Discover, yet are not required to submit anything for Visa. WOW! Can it GET any more complex?
Yep.
Visa Canada still uses reciprocity in their merchant levels and still requires QSAs to attest to merchants’ SAQs. For some strange reason, it appears that Level 1 Visa merchants in Canada must do both an SAQ and a ROC? I think there is a typo there, but I could be wrong.
Your merchant level discussion just got much more complex. If all else fails, your best bet is to list out your annual card acceptance rates by brand, and double check the levels on their website to determine what you need to do. This is an important discussion to have with your QSA (if you use one) to make sure that all of the reporting criteria are met.
Update, 16 Nov 2009: At this time, MasterCard’s reciprocity requirements may still be enforced as they are still in place in that card brand’s operating guidelines, even though it is not posted on their website. Hopefully this will get straightened out for consistency soon as not all stakeholders can see these regulations.
Update, 1 Mar 2010: Looks like MasterCard has specifically called out reciprocity with Visa. That helps things a bit.
Possibly Related Posts:
- PCI DSS 4.0 Released plus BOOK DETAILS!
- PCI Council Loses $600K in Revenue, PO Population on the Decline
- Why PCI DSS 4.0 Needs to be a Complete Rewrite
- Equifax is only half the problem, your SSN needs a redesign!
- Orfei Steps Down