We regularly are asked to explain the PCI merchant levels to customers. The merchant levels are a pretty straightforward grouping of merchants by credit card transaction volume. Each of the Cardbrands (Visa, Mastercard, American Express, Discover and JCB) list the transaction volumes for the different merchant levels on their websites. While all companies that store, process or transmit Card Holder data are required to comply with the entire Data Security Standard, how the merchant is required to validate that compliance is determined by their merchant level. For example here is the Visa merchant level table:
Since the start of the PCI program only level 1 merchants have been required to validate their compliance with an on-site assessment from a QSA. Level 2 merchants have always been allowed to complete a Self Assessment Questionnaire (SAQ) rather than have an on-site audit by a QSA. Things, however, got a bit confusing when MasterCard attempted to step up the intensity of their program:
- August 2009 MasterCard announces that level 2 merchants will have to have an annual QSA assessment. The deadline is December 2010.
- December 2009 MasterCard announces that level 2 merchants don’t have to have a QSA. They can still do the Self Assessment Questionnaire, but only if they have their internal staff complete the PCI training. The deadline is extended to June 2011. If you haven’t done the PCI training then you need a QSA.
As the June 2011 deadline approaches many level 2 merchants are scrambling to decipher the requirements and get the appropriate validation completed in time.
The bottom line: If you are a classified as a level 2 merchant by MasterCard you will need to have your internal staff complete the PCI SSC training (details are here https://www.pcisecuritystandards.org/training/isa_training.php). Or have a QSA complete your Report on Compliance. Note that these changes impact merchants classified as level 2 by MasterCard. If you are a level 2 with Visa, MasterCard also considers you a level 2 even if your MasterCard transaction volume would put you in a lower tier. If you are, however, a level 2 merchant with American Express and a level 3 merchant with MasterCard these changes will not apply to you.
If the MasterCard changes do impact your organization, and you are already in process with the SAQ. Make sure to check with your acquirer to see if they will accept your SAQ (under the old rules) if you submit it prior to the June deadline.