Is anyone thinking about June 30, 2011 yet?  If you are a Level 1 or Level 2 merchant, you certainly should be!  Here’s why:

MasterCard had a rough time last year. They made some new rules, they changed the rules, and then they removed many of those rules.  This year, they worked out the kinks (arguably something they should have done before the first announcement) and have a revised set of requirements.

Nicholas R Horne

Remember us talking about reciprocity last year? From the excellent post by Chris Mark on the end of the Level 4 Merchant to the retraction and strange website posts and commentary by MasterCard, reciprocity was a hotly debated issue.  As of this writing, the reciprocity on MasterCard’s website is with Visa ONLY.  This really makes the most sense ((No offense meant to American Express, Discover, and JCB.  Your levels do not really match up with Visa’s & MasterCard’s, and they account for well over half the cards issued, credit or debit. Just looking at it from a sizing perspective.)), and I believe was MasterCard’s true intent.  The reality is that most card brands don’t expect you to do both a Report on Compliance (ROC) AND a Self-Assessment Questionnaire (SAQ).  If you have to fulfill the requirements of a ROC for one, you should be able to use it to demonstrate compliance for another that only requires a SAQ.

The second one is a bit trickier.  Up until June 30, 2011, Level 1 MasterCard merchants can still opt to self-assess.  After that, self assessments are not permitted UNLESS the “primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC-offered merchant training programs and pass any PCI SSC associated accreditation program annually in order to continue to use internal auditors.” (( No more self assessing without trained and accreditation by the Council, makes sense.

But what about that Level 2 merchant hornet’s nest that MasterCard kicked last year?  Do they have to also do a ROC?  Nope.  BUT, they DO have to “ensure that staff engaged in the self-assessment attend PCI SSC-offered merchant training programs and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation.” ((ibid.)) Alternatively, they can have the annual on-site assessment conducted by a QSA (note NOT the SAQ, though theoretically an accredited individual could lead the SAQ effort as long as it is signed by a C-Level exec of the merchant).

I actually really like what MasterCard ended up with, and I think it is ultimately what they TRIED to do last year.  This will help Level 2s get more accurate assessment results, thus theoretically providing more security in the payment system. A trained individual could obviously lie on a SAQ (which is happening today already with individuals not trained), but there is not much you can do about that. Hopefully, someone going through the training will be unwilling to sign their name on a report that is inaccurate.

This post originally appeared on

Possibly Related Posts: