MasterCard Blinks, Drops Dec. 31 Level 2 PCI Deadline
Written by Evan SchumanMasterCard has quietly backed off from a much-complained-about plan to require Level 2 merchants to—for the first time—have an onsite QSA assessment completed by the end of 2010. Having a New Year’s Eve deadline—on the heels of the all-encompassing holiday season—was a recipe for tons of missed deadlines.
The first MasterCard change made this month was pushing the Dec. 31, 2010, deadline back six months, to June 30, 2011. But MasterCard has also made two other key PCI changes. It has redefined what Level a retailer is (Level 1, 2, 3 or 4) to explicitly mirror whatever level Visa has determined. (The language used to say “competing brand.”) The last of the changes is to allow Level 1 and Level 2 retailers to perform their own assessments—using the retailer’s own salaried audit staff—as long as those audit staffers have passed PCI-approved training courses.
Update To This Story: MasterCard Clarifies Its Thinking
Walt Conway, a QSA for 403 Labs who also writes StorefrontBacktalk‘s weekly PCI column, applauded the MasterCard move, but said the change isn’t entirely good news for retailers. That’s because the agreement to mirror whatever Level Visa has assigned will likely promote many chains that simply had far more Visa transactions than MasterCard transactions. Because Visa generally treats Level 2s less strictly than does MasterCard, these promotions may not be universally welcomed.
“A bunch of Level 3 and Level 4 merchants just became Level 2s,” Conway said. “With this reciprocity gotcha, MasterCard giveth and MasterCard taketh away.”
One advantage to the change is simple cost-savings, as training the existing audit staffers will almost certainly cost a lot less than paying for an outside QSA.
“We heard at the PCI Community Meeting that the Council was working on a certification program for merchant staff that would be modeled on the current QSA training,” Conway said. “It appears the training (and certification) will be in place by next year, and MasterCard is reflecting this development in its PCI validation requirements.”
-Marc
December 17th, 2009 at 12:35 pm
Couple of thoughts on this article
1) “MasterCard Blinks”
Let’s give ’em credit. (No, I don’t work for MasterCard – LOL) There was some good behavior here bears repeating: A major payment brand listened to the concerns of key stakeholders and arrived at a balanced compromise. Some of those concerns:
(a) MasterCard’s risk-based concerns regarding the quality of compromised merchant self assessments,
(b) Merchant concerns regarding the cost and complexity of external assessment, and the availability of qualified assessors to do the work.
(c) The PCI SSC’s training capabilities and timing and development of a merchant certification program (anticipated in Q1 ’10) and
(d) Timing surrounding the next release of the PCI DSS in Q3 ’10. Think about it – Standards and Assessor training will probably cease around the end of Q2 in anticipation of the new release, which will require some revision to the training program curriculum and the re-trainng the trainers.
2) “MasterCard quietly”. Don’t imply anything new (or sinister or cowardly) in that. Quietly is MasterCard’s modus operandi. The original SDP changes were announced quietly as well.
3) “A bunch of Level 3 and Level 4 merchants just became Level 2s”. Is this an accurate statement? MasterCard & Visa have historically included the caveat “or is a Level X in another brand” in their level setting criteria. MasterCard appeared to back way from this in the June pronouncement, and have simply returned to the status quo. Have Acquirers have been tracking and reporting merchants at separate levels by brand? That would exponentially increase complexity by each brand tracked, as they would also have to track separate validation statuses and compliance status for each brand as well. The idea was probably gaining traction in the face of the June SDP changes. However as good as it sounds, it would seem to create a tremendous amount of confusion in a compliance space already rich with it. It also makes sense from a risk perspective. When a merchant is breached, the attacker steals ALL the cards, not just the Visas or the MasterCards. So while the Brands have no visibility into volume outside their individual brand (and no standing to set requirements on them either), the acquirer does. The real risk to the merchant is total transaction volume, not just the Brand X transactions.
4. No mention of the MasterCard PA-DSS requirement!
The MasterCard SDP changes also leapfrog Visa’s PABP Mandates with a new requirement that all merchants and service providers use PA DSS-compliant payment applications by June 30, 2012. True, Visa’s PABP does call for the use of compliant payment applications by June 30, 2010. However in PABP, Visa allows the definition of “PA DSS-complaint” to be determined by the acquirers on an application-by-application basis. MasterCard defines PA DSS-compliant applications as “Listed on the PCI SSC web site”. So in MasterCard nomenclature, “compliant = validated”. Don’t be surprised to see Visa do the same thing, along the same time lines, once the PABP Mandate V date arrives in 2010, hopefully with clearer language – subject to the usual cautionary advice surrounding forward looking statements – LOL
Happy Holidays!
December 17th, 2009 at 1:40 pm
I completely support the comment above about MasterCard deserving credit for acting as they did. They listened, and they adjusted their requirements to respond to the needs of merchants and acquirers/processors. They didn’t have to, but they did. Compliments to the folks in Purchase.
However I stick by my comment (quoted in the column) about a bunch of L3 and L4 merchants becoming L2s and requiring an onsite. To me, what made MasterCard’s original requirement for an onsite assessment for L2s palatable was that they took away their reciprocity provision. That is, they seemed to focus on larger merchants with over a million MasterCard trans/year. With reciprocity in place, a lot of smaller merchants are pulled into the onsite requirement. Rather than causing confusion, I think reciprocity will lead to additional work for processors and acquirers. Having said that, I accept it is MasterCard’s game and they have the right to set the rules for their brand.
The comment on PA-DSS is interesting. I am not as sure the positions of the brands are really that much different. Nor do I think many acquirers will go out on a limb to bless an app if the developer can’t/won’t go through the PA-DSS validation process.
December 18th, 2009 at 8:28 pm
@Dave
Let’s given them credit??? For being idiotic in the first place? Not on your life!
Everyone has just had to scramble and include the costs of the previously announced M/C requirement in their 2010 budgets, and start negotiating with the QSAs for the additional services. All for naught!
Because of budget timing, local QSA availability, etc., my employer had earlier this month signed a contract for next year — now we don’t need it????
Give M/C credit for reversing a bad decision to begin with? NEVER!
January 14th, 2010 at 10:47 am
Re: reciprocity. The article below in StoreFront Backtalk does a pretty good job of explaining what happend with reciprocity
http://www.storefrontbacktalk.com/securityfraud/mastercard-december-deadline-change-not-for-holiday-conflict/
Per this article and my original contention, reciprocity between MasterCard and Visa was always been a factor in Acquirer merchant level assignments. The brief removal of reciprocity generated a great deal of interest in being able to be classified at a lower level in MasterCard’s world. Nevertheless the return of the reciprocity language in the December changes did not effectively create any new Level 2 merchants, but it DID dash the hopes of a lot of them…. :-(