PCI Human Train Wreck Coming Next Year For Level 2s

Written by Walter Conway
November 30th, 2009

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Many Level 2 merchants are just now realizing that their PCI world has changed. Under rules announced this summer, Level 2 MasterCard merchants—like their Level 1 brethren—will require an onsite assessment by a QSA starting in 2010. What’s the difference between self-assessing and an onsite review? Actually, there are 525 differences.

But what I worry about most is a fourth quarter 2010 PCI train wreck as the new rules collide with human frailty and the calendar. The result may be that even some Level 1 merchants and processors don’t get their assessments (and ROCs) completed on schedule.

MasterCard’s Double-Barreled Announcement.
This past summer, MasterCard announced that all “Level 2 merchants must complete an annual onsite assessment conducted by a PCI SSC certified Qualified Security Assessor (QSA) and must validate compliance by 31 December 2010.” It also announced that Level 1 merchants previously using their internal auditors to validate PCI compliance must now have a QSA conduct that assessment.

MasterCard made one clarification, albeit a bit delayed, which eases the impact for some merchants. It removed what I call the “reciprocity gotcha” from its guidelines that, in this case, said if you are classified as a Level 2 merchant by one brand, then you are a Level 2 for MasterCard–regardless of your volume. For example, if you had 1 million Visa transactions and 500,000 MasterCard transactions, you would be a Level 2 for Visa and either a Level 3 or Level 4 for MasterCard. Because you are a Level 2 for Visa, under the reciprocity gotcha, you are now a Level 2 for MasterCard as well. In the good old days of self-assessment, this classification didn’t mean much. But with MasterCard’s new rules, being Level 2 means a whole lot. The good news, at least for some merchants, is that MasterCard removed this reciprocity provision from its merchant level definitions.

525 Ways A ROC Is Not A SAQ.
When a merchant validates its compliance with a Self-Assessment Questionnaire (SAQ), it checks a box for each requirement, thereby indicating that the control is in place. Most merchants are conscientious and careful, assembling an internal team of business and technology staff to tackle the project.

An onsite assessment is different. The assessor will need to see hard evidence of the merchant’s compliance in practice. For example, an internal team may be tempted to say, “We have a firewall, so we can check that box.” An assessor, on the other hand, would need to see a network diagram and examine the firewall rule set before determining if it is properly configured to meet the intent of the PCI requirements.

The PCI Council shapes the assessor’s role through its Quality Assurance (QA) program, which was introduced this year. This program promotes, in the Council’s words, “certainty that Assessors approved by the PCI SSC provide quality services to merchants and service providers by adhering to the high standards set forth in signed agreements and validation requirements.” It is a good program, with benefits for merchants and the assessors and scanning vendors evaluated.

As part of its QA program, the PCI Council developed a scoring matrix to evaluate ROCs (Report On Compliance) submitted for review. QSAs, in turn, use the matrix to guide their onsite work. The matrix stipulates how QSAs should validate each PCI requirement, including observation, written documentation or interviewing the merchant’s staff. Here are two examples: For Requirement 3.2.1 (Do not store the contents of the mag stripe.), the matrix specifies seven sets of logs and databases to be sampled, examined and documented; for Requirement 5.2 (Ensure antivirus mechanisms can generate audit logs.), it specifies five separate actions, including documentation review, observations and a description of how the sample was drawn.

In total, there are 525 items specified in the scoring matrix and, believe me, your QSA will follow all of them. Failing to do so can mean that the QSA firm enters remediation (its name goes red on the PCI Council’s Web site) and, in extreme cases, that the firm may have its status revoked by the Council.


6 Comments | Read PCI Human Train Wreck Coming Next Year For Level 2s

  1. John Bailey Says:

    This is retail, folks. Year end deadlines are really unacceptable and should be moved to mid-year…July 31st for example. If you’re like my company….nothing can happen in the last 6 weeks of the year as we lock down for the holidays. These people totally have their heads in the sand.

  2. Walt Conway Says:

    Thanks for the comment, John, and you raise a great point. I am regularly mystified by how particular dates get picked by the PCI Council and other bodies. For example, what’s special about June 30 for replacing WEP encryption (or the March 31, 2009 end date for new WEP applications) or October for the updated DSS? But these really pale compared to the year-end date chosen by MasterCard which conflicts with seasonal system freezes…including their own!

    Let’s hope someone there will catch this. I fear the only reasonable alternative might be for acquirers to cut merchants some slack, to the extent they can. At least we can hope!

    Your best bet is to fight human nature and get cracking on your on-site earlier in the year. This way it’s done. And as I pointed out, there is no economic benefit to waiting – you have to validate annually, so doing it earlier or later costs the same.

  3. Gray Taylor Says:

    This article has generated a lot of interest with retailers facing the dreaded MC L2 issue. Not surprisingly, some acquirers are questioning the veracity of the relaxation of “reciprocity”. Is there anything in the public domain from MC to substantiate this?

    To John’s comment, I have been constantly surprised at the lack of knowledge about retailing exhibited by those setting mandates (cost burdens to be added to timing issue). Acquirers are in the same boat as merchants – not knowing/understanding what is coming down the pipe next. Only recourse is to get involved in the process and get vocal!

    Thanks for the article!

  4. Walt Conway Says:

    I agree very much with your suggestion, Gray, that every large merchant should get involved in the PCI process. The good news is that I understand there are well over 300 Participating Organizations. Now all we need to do is make sure everyone is heard! The Council is listening, now we just need to work with the brands a little more.

    As for reciprocity, here is a link to MasterCard’s merchant definitions: If you read it carefully, you’ll note the reciprocity provision in the merchant level definitions (e.g., “or if you are considered a Level X by any of the other card brands”) is gone. You should also check out their FAQ (issued two months after the fact…) here:

  5. Walt Conway Says:

    I have a follow-up to Gray’s questioning my statement on MasterCard’s reciprocity being relaxed. He’s right; I was wrong.

    I have been in contact with MasterCard and they corrected me: “we [MasterCard] never removed reciprocity from our rules. The language was simply changed from “competing brand” to “visa”. the “competing brand” lanugage has been in the rules since 2005 and this was meant to facilitate alignment between MasterCard and Visa.”

    I stand corrected. That means that not some but ALL L2 merchants will need an onsite. See the latest on these developments with some good news here:

  6. Robert Spivak Says:

    I wanted to comment on the dates. I agree that they seem to be timed poorly for certain retailers. while for others it fits well. Working with software vendors we find that depending on the industry, certain times of the year are good and other are not.

    For example, a college book seller will need to be locked down both in September and in January and the holidays are not as big a deal. While a Bridal shop will state that March through June nothing can change. Your standard Big box stores will tell you that Back to school and Holidays are locked down. Also depending on what region of the world you are in it can change. The US Thanksgiving is the biggest shopping day of the year for the US, while in Canada Boxing day is the big sales day.

    So we find that if you are involved with enough retailers, in different verticals, and different regions of the world, there is never a good time to implement changes.

    It has been my experience, however, that as long as there is a process to implement changes and the merchant can provide evidence that the process is followed, usually there can be some leniency given to the implementation of a mandate.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.