PCI DSS Merchant Levels – Tell me again…Who needs a QSA?

We regularly are asked to explain the PCI merchant levels to customers.  The merchant levels are a pretty straightforward grouping of merchants by credit card transaction volume.  Each of the Cardbrands (Visa, Mastercard, American Express, Discover and JCB) list the transaction volumes for the different merchant levels on their websites.  While all companies that store, process or transmit Card Holder data are required to comply with the entire Data Security Standard, how the merchant is required to validate that compliance is determined by their merchant level.  For example here is the Visa merchant level table:

Visa PCI Merchant Levels

Since the start of the PCI program only level 1 merchants have been required to validate their compliance with an on-site assessment from a QSA.   Level 2 merchants have always been allowed to complete a Self Assessment Questionnaire (SAQ) rather than have an on-site audit by a QSA.  Things, however, got a bit confusing when MasterCard attempted to step up the intensity of their program:

– August 2009 MasterCard announces that level 2 merchants will have to have an annual QSA assessment.  The deadline is December 2010.

– December 2009 MasterCard announces that level 2 merchants don’t have to have a QSA.  They can still do the Self Assessment Questionnaire, but only if they have their internal staff complete the PCI training.  The deadline is extended to June 2011.  If you haven’t done the PCI training then you need a QSA.

As the June 2011 deadline approaches many level 2 merchants are scrambling to decipher the requirements and get the appropriate validation completed in time.

The bottom line: If you are a classified as a level 2 merchant by MasterCard you will need to have your internal staff complete the PCI SSC training (details are here https://www.pcisecuritystandards.org/training/isa_training.php).  Or have a QSA complete your Report on Compliance.  Note that these changes impact merchants classified as level 2 by MasterCard.  If you are a level 2 with Visa, MasterCard also considers you a level 2 even if your MasterCard transaction volume would put you in a lower tier.  If you are, however, a level 2 merchant with American Express and a level 3 merchant with MasterCard these changes will not apply to you.

If the MasterCard changes do impact your organization, and you are already in process with the SAQ.  Make sure to check with your acquirer to see if they will accept your SAQ (under the old rules) if you submit it prior to the June deadline.

Posted on by mmarshall Posted in Main | 1 Comment

One thought on “PCI DSS Merchant Levels – Tell me again…Who needs a QSA?

  • Lou

    Thanks for the information. What about Service Providers and their requirements for Onsite or SAQ? For all brands with the exception of American Express, I noticed the Level II SP are eligible to fill out the SAQ. Why is American Express making Level II go through an onsite validation?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>