« NEWS FLASH: MasterCard Requires On-Site QSA for Level 2 Merchants | Main | More on NRF's Letter to PCI SSC, and the Wireless Network that Could »

More on MasterCard's Level 2 Change

On Wednesday, we discussed MasterCard's new requirement for Level 2 merchants to have an on-site assessment performed instead of submitting the Self-Assessment Questionnaire. This news prompted a flurry of information around the new requirement and has merchants asking lots of questions.

I clarified a couple of items from my last post and wanted to make sure they were clear.


  1. MasterCard's 2010 deadline is more of an end to submitting SAQs as opposed to a deadline to be validated by a QSA. This means that Level 2 merchants will continue to be able to submit SAQs until December 31, 2010, after which they will need to have the on-site assessment, performed by a QSA.

  2. The On-Site assessment must yield a Report on Compliance (ROC), NOT a SAQ. Effectively, Level 1 & 2 merchants will have the exact same reporting requirements for PCI.

  3. This does not apply only to merchants processing more than 1 million MasterCard transactions annually, this applies to any merchant classified as a Level 2 merchant from any other card brand. MasterCard defines that their Level 2 also includes "Any merchant meeting the Level 2 criteria of a competing payment brand." This means that if any other brand defines you as a Level 2 merchant, you are now subject to this requirement.


I hope you all have a chance to ponder that over the weekend, and we'll catch you next week for more security fun!

Posted by Branden Williams on June 19, 2009 6:43 AM |

Comments

Branden, I'm not sure about your point 2. As I read the table, the second column says L2 merchants require a "self assessment"...not a ROC. That the SAQ would need to be signed/reviewed by a QSA seems to be all that is required. BTW, I see the footnote saying all L1 and L2 merchants must conduct an "on-site assessment". Is that where the ROC requirement is coming from?

Posted by: Walt Conway | June 19, 2009 7:15 AM

Walt:

You and I had the exact same confusion based on that table! I confirmed from an inside source that my post above is indeed the intent, and the website will probably be modified shortly.

Posted by: Branden Williams Author Profile Page | June 19, 2009 10:41 AM

Branden,
Thanks for the clarification, and thanks for being on top of this one.

Posted by: Walt Conway | June 20, 2009 8:21 AM

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)