MasterCard Gets PCI Tough With Level 2 Retailers?

Written by Evan Schuman
June 18th, 2009

MasterCard has changed its PCI rules and is now insisting that all Level 2 merchants have on-site assessments.

“This is a dramatic change from the current, industry wide requirement of self-assessing for merchants processing less than six million transactions annually,” wrote Branden Williams, in his excellent Security Convergence Blog, which seems to have broken the story on Wednesday (June 17). The blog also reports that none of the other card brands—including Visa, the Uber Brand when it comes to PCI issues—have done the same.

There’s no dispute that this is a significant move, but whether it will truly have any lasting—and meaningful—impact is unclear. That’s because of a few issues, especially the confusing rules surrounding self-assessments.

It was late in 2007 when Visa started allowing Level 1s to self-assess. Even that was not so dramatic because it could only happen when there was agreement between the retailer’s execs, the acquiring bank as well as the card brand. Heck, if a retailer can get agreement among all three of those groups, there’s no PCI rule that can’t be changed or waived. That’s akin to saying that an American consumer can do something as long as the Senate, House, White House and Supreme Court signs off.

I am going out on a limb and say that any Level 2 retailer will still be able to self-assess, as long as the retailer can make a solid argument to the acquiring bank that they can handle the form and that they’re passed assessments with flying colors many times. This also assumes that the brand has no objection.

Adding more confusion to this situation is that it’s MasterCard doing it. Let’s be candid. MasterCard, AmericanExpress, Diner’s Club, JCB and the others are powerful brands (OK, maybe that’s pushing it a bit with Diner’s Club. You seen many around lately?). But as powerful as they are, it’s Visa that calls the shots these days on PCI matters. If Visa doesn’t make similar changes, not clear what will happen. What will the acquiring banks do?

That all said, it’s unclear what is behind this. If MasterCard is not so much trying to be more stringent with Level 2s as it is trying to crack down on the extremely common inaccurate answers—based on misunderstood questions—coming from self-assessments. If this is the beginning of a campaign to eliminate self-assessments from all retailers in Levels 1, 2 and 3, that could prove very interesting.

If it is, though, that raises logistical issues. The most prominent such issue is “Where are all of these assessors going to come from?” Performing assessments has never been especially profitable, unless lots of related hardware and software sales are bundled. A flood of new assessors is likely to have the opposite of the intended impact. New assessors are likely to generate almost as many mistakes as the self-assessments they’re supposed to replace.


6 Comments | Read MasterCard Gets PCI Tough With Level 2 Retailers?

  1. Da Juicer Says:

    Trust me, QSACs make a killing at on site assessments. They pound up the hours and bill the snot out of the merchant. The problem is there aren’t enough on site assessments to keep the legion of QSACs/QSAs busy year round.

    My money says, the smart L2 merchants will drop MC in favor of cash, VISA/Amex/Discover/JCB and tell MasterCard to suck rocks.

  2. Branden Williams Says:

    Thanks for the kind words! One thing to remember (and I’ll post something about this tomorrow), most card brands have reciprocity with other brands when it comes to determining levels. Thus, ALL Level 2 merchants, regardless of brand (because if you are a Level 2 with Visa, you are a level 2 with most, including MasterCard) will now be subject to this new requirement.

  3. John B. Frank Says:

    According to the Society of Payment Security Professionals forum:

    “Merchant level is defined by each brand (remember, the PCI Council owns the standards, but each brand enforces them). For example, while MC and Visa are aligned, Amex has only 3 merchant levels.

    The key is to look at transaction count by brand. A common mistake I see is for merchants to total all their card transactions then look up their merchant level. Instead, read the requirements carefully: Visa only deals with Visa; MC with MC; Amex with Amex. Therefore I may have 10 million card trans per year, but if it is made up of 5 million Visa, 3 million M/C, and 2 million Amex, I’d be a Level 2 merchant.

    The key is look at transactions by brand.

  4. Leslie Barrett Says:


    You forgot to mention that a MasterCard Tier 2 Merchant is clasified as having transaction volumes FROM 1 million up to 6 million per annum.

    Your article sounds like every merchant is a tier 2.


    Leslie Barrett

  5. Evan Schuman Says:

    Editor’s Note: Leslie’s note is valid. Like every other publication, we struggle with how much we assume our particular audience knows. If we spell out too much, the audience gets offended and concludes that we don’t know that space. (Example: If The Washington Post defined what a U.S. Senator is for a story about the status of a particular piece of Senate legislation. Such an explanation could easily alienate its audience.)
    We often ask readers and update our style policy as times change. There was a time when we felt the need to spell out what PCI was, but we no longer feel that way, at least for our core audience.
    To your comment, we made the assumption that the subset of our readers who would have an interest in reading a piece about MasterCard changing its policies regarding PCI requirements …. we concluded that that particular subset of our audience would know what a Level 2 merchant meant.
    That said, it probably wouldn’t have hurt to thrown in a standard description at the end, defining each PCI Level, at least from MasterCard’s perspective.

  6. Josh Says:

    Do we have any confirmation that Amex Level 2 (50k transactions) is -not- cause to be considered Level 2 for MasterCard?

    I can’t imagine this would be true, but I need confirmation.

    Thanks in advance!


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.