StorefrontBacktalk

PCI Human Train Wreck Coming Next Year For Level 2s

Written by Walter Conway

November 30th, 2009

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Many Level 2 merchants are just now realizing that their PCI world has changed. Under rules announced this summer, Level 2 MasterCard merchants—like their Level 1 brethren—will require an onsite assessment by a QSA starting in 2010. What’s the difference between self-assessing and an onsite review? Actually, there are 525 differences.

But what I worry about most is a fourth quarter 2010 PCI train wreck as the new rules collide with human frailty and the calendar. The result may be that even some Level 1 merchants and processors don’t get their assessments (and ROCs) completed on schedule.

MasterCard’s Double-Barreled Announcement.
This past summer, MasterCard announced that all “Level 2 merchants must complete an annual onsite assessment conducted by a PCI SSC certified Qualified Security Assessor (QSA) and must validate compliance by 31 December 2010.” It also announced that Level 1 merchants previously using their internal auditors to validate PCI compliance must now have a QSA conduct that assessment.

MasterCard made one clarification, albeit a bit delayed, which eases the impact for some merchants. It removed what I call the “reciprocity gotcha” from its guidelines that, in this case, said if you are classified as a Level 2 merchant by one brand, then you are a Level 2 for MasterCard–regardless of your volume. For example, if you had 1 million Visa transactions and 500,000 MasterCard transactions, you would be a Level 2 for Visa and either a Level 3 or Level 4 for MasterCard. Because you are a Level 2 for Visa, under the reciprocity gotcha, you are now a Level 2 for MasterCard as well. In the good old days of self-assessment, this classification didn’t mean much. But with MasterCard’s new rules, being Level 2 means a whole lot. The good news, at least for some merchants, is that MasterCard removed this reciprocity provision from its merchant level definitions.

525 Ways A ROC Is Not A SAQ.
When a merchant validates its compliance with a Self-Assessment Questionnaire (SAQ), it checks a box for each requirement, thereby indicating that the control is in place. Most merchants are conscientious and careful, assembling an internal team of business and technology staff to tackle the project.

An onsite assessment is different. The assessor will need to see hard evidence of the merchant’s compliance in practice. For example, an internal team may be tempted to say, “We have a firewall, so we can check that box.” An assessor, on the other hand, would need to see a network diagram and examine the firewall rule set before determining if it is properly configured to meet the intent of the PCI requirements.

The PCI Council shapes the assessor’s role through its Quality Assurance (QA) program, which was introduced this year. This program promotes, in the Council’s words, “certainty that Assessors approved by the PCI SSC provide quality services to merchants and service providers by adhering to the high standards set forth in signed agreements and validation requirements.” It is a good program, with benefits for merchants and the assessors and scanning vendors evaluated.

As part of its QA program, the PCI Council developed a scoring matrix to evaluate ROCs (Report On Compliance) submitted for review. QSAs, in turn, use the matrix to guide their onsite work. The matrix stipulates how QSAs should validate each PCI requirement, including observation, written documentation or interviewing the merchant’s staff. Here are two examples: For Requirement 3.2.1 (Do not store the contents of the mag stripe.), the matrix specifies seven sets of logs and databases to be sampled, examined and documented; for Requirement 5.2 (Ensure antivirus mechanisms can generate audit logs.), it specifies five separate actions, including documentation review, observations and a description of how the sample was drawn.

In total, there are 525 items specified in the scoring matrix and, believe me, your QSA will follow all of them. Failing to do so can mean that the QSA firm enters remediation (its name goes red on the PCI Council’s Web site) and, in extreme cases, that the firm may have its status revoked by the Council.

Posted in E-Commerce, In-Store, IT Strategy/Industry, Payment Systems, Security/Fraud

6 Comments | Read PCI Human Train Wreck Coming Next Year For Level 2s

John Bailey Says:
November 30th, 2009 at 3:38 pm
This is retail, folks. Year end deadlines are really unacceptable and should be moved to mid-year…July 31st for example. If you’re like my company….nothing can happen in the last 6 weeks of the year as we lock down for the holidays. These people totally have their heads in the sand.
Walt Conway Says:
November 30th, 2009 at 8:23 pm
Thanks for the comment, John, and you raise a great point. I am regularly mystified by how particular dates get picked by the PCI Council and other bodies. For example, what’s special about June 30 for replacing WEP encryption (or the March 31, 2009 end date for new WEP applications) or October for the updated DSS? But these really pale compared to the year-end date chosen by MasterCard which conflicts with seasonal system freezes…including their own!

Let’s hope someone there will catch this. I fear the only reasonable alternative might be for acquirers to cut merchants some slack, to the extent they can. At least we can hope!

Your best bet is to fight human nature and get cracking on your on-site earlier in the year. This way it’s done. And as I pointed out, there is no economic benefit to waiting – you have to validate annually, so doing it earlier or later costs the same.
Gray Taylor Says:
December 1st, 2009 at 10:24 am
Walt,
This article has generated a lot of interest with retailers facing the dreaded MC L2 issue. Not surprisingly, some acquirers are questioning the veracity of the relaxation of “reciprocity”. Is there anything in the public domain from MC to substantiate this?

To John’s comment, I have been constantly surprised at the lack of knowledge about retailing exhibited by those setting mandates (cost burdens to be added to timing issue). Acquirers are in the same boat as merchants – not knowing/understanding what is coming down the pipe next. Only recourse is to get involved in the process and get vocal!

Thanks for the article!
Walt Conway Says:
December 1st, 2009 at 12:29 pm
I agree very much with your suggestion, Gray, that every large merchant should get involved in the PCI process. The good news is that I understand there are well over 300 Participating Organizations. Now all we need to do is make sure everyone is heard! The Council is listening, now we just need to work with the brands a little more.

As for reciprocity, here is a link to MasterCard’s merchant definitions: http://www.mastercard.com/us/sdp/merchants/merchant_levels.html. If you read it carefully, you’ll note the reciprocity provision in the merchant level definitions (e.g., “or if you are considered a Level X by any of the other card brands”) is gone. You should also check out their FAQ (issued two months after the fact…) here: http://www.mastercard.com/us/sdp/assets/pdf/SDP%20Program%20Revisions%20FAQ.pdf
Walt Conway Says:
December 17th, 2009 at 8:47 pm
I have a follow-up to Gray’s questioning my statement on MasterCard’s reciprocity being relaxed. He’s right; I was wrong.

I have been in contact with MasterCard and they corrected me: “we [MasterCard] never removed reciprocity from our rules. The language was simply changed from “competing brand” to “visa”. the “competing brand” lanugage has been in the rules since 2005 and this was meant to facilitate alignment between MasterCard and Visa.”

I stand corrected. That means that not some but ALL L2 merchants will need an onsite. See the latest on these developments with some good news here: http://www.storefrontbacktalk.com/securityfraud/mastercard-blinks-drops-dec-31-level-2-pci-deadline/
Robert Spivak Says:
December 22nd, 2009 at 5:07 pm
I wanted to comment on the dates. I agree that they seem to be timed poorly for certain retailers. while for others it fits well. Working with software vendors we find that depending on the industry, certain times of the year are good and other are not.

For example, a college book seller will need to be locked down both in September and in January and the holidays are not as big a deal. While a Bridal shop will state that March through June nothing can change. Your standard Big box stores will tell you that Back to school and Holidays are locked down. Also depending on what region of the world you are in it can change. The US Thanksgiving is the biggest shopping day of the year for the US, while in Canada Boxing day is the big sales day.

So we find that if you are involved with enough retailers, in different verticals, and different regions of the world, there is never a good time to implement changes.

It has been my experience, however, that as long as there is a process to implement changes and the merchant can provide evidence that the process is followed, usually there can be some leniency given to the implementation of a mandate.

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retailing Column every month at Retail-Week.com. Please click here for an archive of those columns.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.