MasterCard Gets PCI Tough With Level 2 Retailers?
Written by Evan SchumanMasterCard has changed its PCI rules and is now insisting that all Level 2 merchants have on-site assessments.
“This is a dramatic change from the current, industry wide requirement of self-assessing for merchants processing less than six million transactions annually,” wrote Branden Williams, in his excellent Security Convergence Blog, which seems to have broken the story on Wednesday (June 17). The blog also reports that none of the other card brands—including Visa, the Uber Brand when it comes to PCI issues—have done the same.
There’s no dispute that this is a significant move, but whether it will truly have any lasting—and meaningful—impact is unclear. That’s because of a few issues, especially the confusing rules surrounding self-assessments.
It was late in 2007 when Visa started allowing Level 1s to self-assess. Even that was not so dramatic because it could only happen when there was agreement between the retailer’s execs, the acquiring bank as well as the card brand. Heck, if a retailer can get agreement among all three of those groups, there’s no PCI rule that can’t be changed or waived. That’s akin to saying that an American consumer can do something as long as the Senate, House, White House and Supreme Court signs off.
I am going out on a limb and say that any Level 2 retailer will still be able to self-assess, as long as the retailer can make a solid argument to the acquiring bank that they can handle the form and that they’re passed assessments with flying colors many times. This also assumes that the brand has no objection.
Adding more confusion to this situation is that it’s MasterCard doing it. Let’s be candid. MasterCard, AmericanExpress, Diner’s Club, JCB and the others are powerful brands (OK, maybe that’s pushing it a bit with Diner’s Club. You seen many around lately?). But as powerful as they are, it’s Visa that calls the shots these days on PCI matters. If Visa doesn’t make similar changes, not clear what will happen. What will the acquiring banks do?
That all said, it’s unclear what is behind this. If MasterCard is not so much trying to be more stringent with Level 2s as it is trying to crack down on the extremely common inaccurate answers—based on misunderstood questions—coming from self-assessments. If this is the beginning of a campaign to eliminate self-assessments from all retailers in Levels 1, 2 and 3, that could prove very interesting.
If it is, though, that raises logistical issues. The most prominent such issue is “Where are all of these assessors going to come from?” Performing assessments has never been especially profitable, unless lots of related hardware and software sales are bundled. A flood of new assessors is likely to have the opposite of the intended impact. New assessors are likely to generate almost as many mistakes as the self-assessments they’re supposed to replace.
-Dan Stiel
June 18th, 2009 at 12:41 pm
Trust me, QSACs make a killing at on site assessments. They pound up the hours and bill the snot out of the merchant. The problem is there aren’t enough on site assessments to keep the legion of QSACs/QSAs busy year round.
My money says, the smart L2 merchants will drop MC in favor of cash, VISA/Amex/Discover/JCB and tell MasterCard to suck rocks.
June 18th, 2009 at 10:48 pm
Thanks for the kind words! One thing to remember (and I’ll post something about this tomorrow), most card brands have reciprocity with other brands when it comes to determining levels. Thus, ALL Level 2 merchants, regardless of brand (because if you are a Level 2 with Visa, you are a level 2 with most, including MasterCard) will now be subject to this new requirement.
June 20th, 2009 at 12:20 pm
According to the Society of Payment Security Professionals forum:
“Merchant level is defined by each brand (remember, the PCI Council owns the standards, but each brand enforces them). For example, while MC and Visa are aligned, Amex has only 3 merchant levels.
The key is to look at transaction count by brand. A common mistake I see is for merchants to total all their card transactions then look up their merchant level. Instead, read the requirements carefully: Visa only deals with Visa; MC with MC; Amex with Amex. Therefore I may have 10 million card trans per year, but if it is made up of 5 million Visa, 3 million M/C, and 2 million Amex, I’d be a Level 2 merchant.
The key is look at transactions by brand.
June 21st, 2009 at 6:50 pm
Hi,
You forgot to mention that a MasterCard Tier 2 Merchant is clasified as having transaction volumes FROM 1 million up to 6 million per annum.
Your article sounds like every merchant is a tier 2.
Regards,
Leslie Barrett
June 21st, 2009 at 8:46 pm
Editor’s Note: Leslie’s note is valid. Like every other publication, we struggle with how much we assume our particular audience knows. If we spell out too much, the audience gets offended and concludes that we don’t know that space. (Example: If The Washington Post defined what a U.S. Senator is for a story about the status of a particular piece of Senate legislation. Such an explanation could easily alienate its audience.)
We often ask readers and update our style policy as times change. There was a time when we felt the need to spell out what PCI was, but we no longer feel that way, at least for our core audience.
To your comment, we made the assumption that the subset of our readers who would have an interest in reading a piece about MasterCard changing its policies regarding PCI requirements …. we concluded that that particular subset of our audience would know what a Level 2 merchant meant.
That said, it probably wouldn’t have hurt to thrown in a standard description at the end, defining each PCI Level, at least from MasterCard’s perspective.
June 22nd, 2009 at 3:48 pm
Do we have any confirmation that Amex Level 2 (50k transactions) is -not- cause to be considered Level 2 for MasterCard?
I can’t imagine this would be true, but I need confirmation.
Thanks in advance!