This is page 2 of:
PCI Human Train Wreck Coming Next Year For Level 2s
The Polar Express Train Wreck.
According to Visa, there are nearly 900 Level 2 merchants today. Let’s say only half of them will also be Level 2 for MasterCard (per my example, above), based on their actual transaction volume. That translates to about 450 new merchants that need an onsite assessment. Currently, there are only 352 Level 1 merchants (again, per Visa), which means 2010 will see an increase of over 125 percent in the number of merchants needing an assessment. How will we deal with this extra demand? Although the Council is training QSAs, I don’t think the number has increased by anywhere near 125 percent.
It’s not just the demand; it’s also timing. My guess is that few Level 2 merchants will move before mid-year. There is no benefit to delaying (PCI compliance is renewed annually, so it should make no economic difference whether you do it in the beginning of the year or at the end). But I try not to bet against human nature and the desire to delay the unpleasant. Now let’s factor in time for vendor selection and assessment preparation (remember the assessor’s matrix and all the required documentation), and the fact that first-time assessments can take longer and involve more remediation. The result may be a major train wreck in the fourth quarter of 2010 as an unusually large number of merchants and their QSAs scramble to document compliance. And, of course, this clamor happens just in time for the holidays.
In this scenario, some Level 1 merchants will suffer collateral damage. The number of new clients will stretch their QSAs, and seemingly minor remediation issues may lead to delays in Level 1 merchants’ own ROCs. One last kicker: Because PCI validation is annual, this fourth quarter crunch is perpetuated.
The Law of Unintended Consequences holds that no good act goes unpunished. MasterCard wants Level 2 merchants to have an onsite assessment. The PCI Council wants to monitor the quality of QSAs’ work. Each organization thinks it is doing the right thing. But when we combine these requirements with human nature and the calendar, we are headed into a 2010 year-end situation that may be painful for merchants and QSAs alike.
Will acquirers cut their merchants and processors some slack if things get tight? Will enough Level 2 merchants plan ahead and validate early? Will some Level 1 merchants with fourth quarter renewals (shock!) validate early and avoid the crush?
I’d like to know what you think. If you are a Level 2 merchant, what are your plans for your first assessment? Are you a Level 1 with a fourth quarter renewal? Do you disagree with my scenario? Please let me know. Leave a comment or send me an E-mail: wconway@403labs.com.
-Marc
November 30th, 2009 at 3:38 pm
This is retail, folks. Year end deadlines are really unacceptable and should be moved to mid-year…July 31st for example. If you’re like my company….nothing can happen in the last 6 weeks of the year as we lock down for the holidays. These people totally have their heads in the sand.
November 30th, 2009 at 8:23 pm
Thanks for the comment, John, and you raise a great point. I am regularly mystified by how particular dates get picked by the PCI Council and other bodies. For example, what’s special about June 30 for replacing WEP encryption (or the March 31, 2009 end date for new WEP applications) or October for the updated DSS? But these really pale compared to the year-end date chosen by MasterCard which conflicts with seasonal system freezes…including their own!
Let’s hope someone there will catch this. I fear the only reasonable alternative might be for acquirers to cut merchants some slack, to the extent they can. At least we can hope!
Your best bet is to fight human nature and get cracking on your on-site earlier in the year. This way it’s done. And as I pointed out, there is no economic benefit to waiting – you have to validate annually, so doing it earlier or later costs the same.
December 1st, 2009 at 10:24 am
Walt,
This article has generated a lot of interest with retailers facing the dreaded MC L2 issue. Not surprisingly, some acquirers are questioning the veracity of the relaxation of “reciprocity”. Is there anything in the public domain from MC to substantiate this?
To John’s comment, I have been constantly surprised at the lack of knowledge about retailing exhibited by those setting mandates (cost burdens to be added to timing issue). Acquirers are in the same boat as merchants – not knowing/understanding what is coming down the pipe next. Only recourse is to get involved in the process and get vocal!
Thanks for the article!
December 1st, 2009 at 12:29 pm
I agree very much with your suggestion, Gray, that every large merchant should get involved in the PCI process. The good news is that I understand there are well over 300 Participating Organizations. Now all we need to do is make sure everyone is heard! The Council is listening, now we just need to work with the brands a little more.
As for reciprocity, here is a link to MasterCard’s merchant definitions: http://www.mastercard.com/us/sdp/merchants/merchant_levels.html. If you read it carefully, you’ll note the reciprocity provision in the merchant level definitions (e.g., “or if you are considered a Level X by any of the other card brands”) is gone. You should also check out their FAQ (issued two months after the fact…) here: http://www.mastercard.com/us/sdp/assets/pdf/SDP%20Program%20Revisions%20FAQ.pdf
December 17th, 2009 at 8:47 pm
I have a follow-up to Gray’s questioning my statement on MasterCard’s reciprocity being relaxed. He’s right; I was wrong.
I have been in contact with MasterCard and they corrected me: “we [MasterCard] never removed reciprocity from our rules. The language was simply changed from “competing brand” to “visa”. the “competing brand” lanugage has been in the rules since 2005 and this was meant to facilitate alignment between MasterCard and Visa.”
I stand corrected. That means that not some but ALL L2 merchants will need an onsite. See the latest on these developments with some good news here: http://www.storefrontbacktalk.com/securityfraud/mastercard-blinks-drops-dec-31-level-2-pci-deadline/
December 22nd, 2009 at 5:07 pm
I wanted to comment on the dates. I agree that they seem to be timed poorly for certain retailers. while for others it fits well. Working with software vendors we find that depending on the industry, certain times of the year are good and other are not.
For example, a college book seller will need to be locked down both in September and in January and the holidays are not as big a deal. While a Bridal shop will state that March through June nothing can change. Your standard Big box stores will tell you that Back to school and Holidays are locked down. Also depending on what region of the world you are in it can change. The US Thanksgiving is the biggest shopping day of the year for the US, while in Canada Boxing day is the big sales day.
So we find that if you are involved with enough retailers, in different verticals, and different regions of the world, there is never a good time to implement changes.
It has been my experience, however, that as long as there is a process to implement changes and the merchant can provide evidence that the process is followed, usually there can be some leniency given to the implementation of a mandate.