The PCI DSS world was shocked yet again this week when MasterCard backed off its position from earlier this year, requiring Level 2 merchants to obtain validation from a QSA, and publicly are aligning its levels directly with Visa—including setting reciprocity with their levels.  The reason I put “publicly” in there is because the merchant operating regulations are NOT public for MasterCard like they are with Visa, but I understand that level reciprocity remains in those regulations even though they were removed from the public facing information.

Crow, by Marko K

Crow, by Marko K

This is why merchants and service providers alike don’t take deadlines seriously.  Visa has (in the US anyway) at least tried (and mostly succeeded) to stick by their deadlines, though I’m not sure what will happen in 2010 as global deadlines loom.  But when a big splash is made with a massive ripple effect throughout the industry, and then the stone gets “un-thrown,” what is the industry supposed to do?  If MasterCard had done a better job of socializing this idea with ALL of the key stakeholders and rolled it out more effectively, we would not see these massive policy changes.

Aside from the politician-like flippy-flopping, I think this is a step backward for MasterCard as it relates to its desire to push compliance adoption forward.  Those in the industry know that Self Assessments are great, but because some of them are completed by individuals without a core understanding of the PCI DSS regulations, the false positive and negative rates are much higher (As a side note, if you are doing this for your organization this year, buy our book on PCI!).  What MasterCard should have done was socialized the problem, the intent to change, and then given a longer runway than they did.  After learning more about the organization, I know why they didn’t do this. It’s one of those points where we see things differently.

On-site assessments by QSAs are now at a Level 2 merchant’s discretion, and Level 1 merchants that choose to do an internal PCI DSS Assessment must have a lead assessor that has been through merchant training and pass any associated accreditation.  I would say that if you are a Level 2 retailer and serious about your business, you should at least internally perform a full PCI DSS assessment, and possibly have a QSA look over your shoulder while doing it.  The benefits outweigh the costs, regardless of what your card brands require.

This post originally appeared on