MasterCard Blinks, Drops Dec. 31 Level 2 PCI Deadline

Written by Evan Schuman
December 16th, 2009

MasterCard has quietly backed off from a much-complained-about plan to require Level 2 merchants to—for the first time—have an onsite QSA assessment completed by the end of 2010. Having a New Year’s Eve deadline—on the heels of the all-encompassing holiday season—was a recipe for tons of missed deadlines.

The first MasterCard change made this month was pushing the Dec. 31, 2010, deadline back six months, to June 30, 2011. But MasterCard has also made two other key PCI changes. It has redefined what Level a retailer is (Level 1, 2, 3 or 4) to explicitly mirror whatever level Visa has determined. (The language used to say “competing brand.”) The last of the changes is to allow Level 1 and Level 2 retailers to perform their own assessments—using the retailer’s own salaried audit staff—as long as those audit staffers have passed PCI-approved training courses.

Update To This Story: MasterCard Clarifies Its Thinking

Walt Conway, a QSA for 403 Labs who also writes StorefrontBacktalk‘s weekly PCI column, applauded the MasterCard move, but said the change isn’t entirely good news for retailers. That’s because the agreement to mirror whatever Level Visa has assigned will likely promote many chains that simply had far more Visa transactions than MasterCard transactions. Because Visa generally treats Level 2s less strictly than does MasterCard, these promotions may not be universally welcomed.

“A bunch of Level 3 and Level 4 merchants just became Level 2s,” Conway said. “With this reciprocity gotcha, MasterCard giveth and MasterCard taketh away.”

One advantage to the change is simple cost-savings, as training the existing audit staffers will almost certainly cost a lot less than paying for an outside QSA.

“We heard at the PCI Community Meeting that the Council was working on a certification program for merchant staff that would be modeled on the current QSA training,” Conway said. “It appears the training (and certification) will be in place by next year, and MasterCard is reflecting this development in its PCI validation requirements.”


4 Comments | Read MasterCard Blinks, Drops Dec. 31 Level 2 PCI Deadline

  1. Dave CISA/M/SP Says:

    Couple of thoughts on this article

    1) “MasterCard Blinks”
    Let’s give ’em credit. (No, I don’t work for MasterCard – LOL) There was some good behavior here bears repeating: A major payment brand listened to the concerns of key stakeholders and arrived at a balanced compromise. Some of those concerns:

    (a) MasterCard’s risk-based concerns regarding the quality of compromised merchant self assessments,
    (b) Merchant concerns regarding the cost and complexity of external assessment, and the availability of qualified assessors to do the work.
    (c) The PCI SSC’s training capabilities and timing and development of a merchant certification program (anticipated in Q1 ’10) and
    (d) Timing surrounding the next release of the PCI DSS in Q3 ’10. Think about it – Standards and Assessor training will probably cease around the end of Q2 in anticipation of the new release, which will require some revision to the training program curriculum and the re-trainng the trainers.

    2) “MasterCard quietly”. Don’t imply anything new (or sinister or cowardly) in that. Quietly is MasterCard’s modus operandi. The original SDP changes were announced quietly as well.

    3) “A bunch of Level 3 and Level 4 merchants just became Level 2s”. Is this an accurate statement? MasterCard & Visa have historically included the caveat “or is a Level X in another brand” in their level setting criteria. MasterCard appeared to back way from this in the June pronouncement, and have simply returned to the status quo. Have Acquirers have been tracking and reporting merchants at separate levels by brand? That would exponentially increase complexity by each brand tracked, as they would also have to track separate validation statuses and compliance status for each brand as well. The idea was probably gaining traction in the face of the June SDP changes. However as good as it sounds, it would seem to create a tremendous amount of confusion in a compliance space already rich with it. It also makes sense from a risk perspective. When a merchant is breached, the attacker steals ALL the cards, not just the Visas or the MasterCards. So while the Brands have no visibility into volume outside their individual brand (and no standing to set requirements on them either), the acquirer does. The real risk to the merchant is total transaction volume, not just the Brand X transactions.

    4. No mention of the MasterCard PA-DSS requirement!
    The MasterCard SDP changes also leapfrog Visa’s PABP Mandates with a new requirement that all merchants and service providers use PA DSS-compliant payment applications by June 30, 2012. True, Visa’s PABP does call for the use of compliant payment applications by June 30, 2010. However in PABP, Visa allows the definition of “PA DSS-complaint” to be determined by the acquirers on an application-by-application basis. MasterCard defines PA DSS-compliant applications as “Listed on the PCI SSC web site”. So in MasterCard nomenclature, “compliant = validated”. Don’t be surprised to see Visa do the same thing, along the same time lines, once the PABP Mandate V date arrives in 2010, hopefully with clearer language – subject to the usual cautionary advice surrounding forward looking statements – LOL

    Happy Holidays!

  2. Walt Conway Says:

    I completely support the comment above about MasterCard deserving credit for acting as they did. They listened, and they adjusted their requirements to respond to the needs of merchants and acquirers/processors. They didn’t have to, but they did. Compliments to the folks in Purchase.

    However I stick by my comment (quoted in the column) about a bunch of L3 and L4 merchants becoming L2s and requiring an onsite. To me, what made MasterCard’s original requirement for an onsite assessment for L2s palatable was that they took away their reciprocity provision. That is, they seemed to focus on larger merchants with over a million MasterCard trans/year. With reciprocity in place, a lot of smaller merchants are pulled into the onsite requirement. Rather than causing confusion, I think reciprocity will lead to additional work for processors and acquirers. Having said that, I accept it is MasterCard’s game and they have the right to set the rules for their brand.

    The comment on PA-DSS is interesting. I am not as sure the positions of the brands are really that much different. Nor do I think many acquirers will go out on a limb to bless an app if the developer can’t/won’t go through the PA-DSS validation process.

  3. Cranston Snoard Says:

    Let’s given them credit??? For being idiotic in the first place? Not on your life!

    Everyone has just had to scramble and include the costs of the previously announced M/C requirement in their 2010 budgets, and start negotiating with the QSAs for the additional services. All for naught!

    Because of budget timing, local QSA availability, etc., my employer had earlier this month signed a contract for next year — now we don’t need it????

    Give M/C credit for reversing a bad decision to begin with? NEVER!

  4. Dave CISA/M/SP Says:

    Re: reciprocity. The article below in StoreFront Backtalk does a pretty good job of explaining what happend with reciprocity

    Per this article and my original contention, reciprocity between MasterCard and Visa was always been a factor in Acquirer merchant level assignments. The brief removal of reciprocity generated a great deal of interest in being able to be classified at a lower level in MasterCard’s world. Nevertheless the return of the reciprocity language in the December changes did not effectively create any new Level 2 merchants, but it DID dash the hopes of a lot of them…. :-(


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.