MasterCard Gets PCI Tough With Level 2 Retailers?
Written by Evan SchumanJune 18th, 2009
MasterCard has changed its PCI rules and is now insisting that all Level 2 merchants have on-site assessments. There's no dispute that this is a significant move, but whether it will truly have any lasting—and meaningful—impact is unclear. That's because of a few issues, especially the confusing rules surrounding self-assessments.
It was late in 2007 when Visa started allowing Level 1s to self-assess. Even that was not so dramatic because it could only happen when there was agreement between the retailer's execs, the acquiring bank as well as the card brand. Heck, if a retailer can get agreement among all three of those groups, there's no PCI rule that can't be changed or waived. That's akin to saying that an American consumer can do something as long as the Senate, House, White House and Supreme Court signs off.
This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.
Already a Subscriber? Login Here
6 Comments | Read MasterCard Gets PCI Tough With Level 2 Retailers?
Leave a Reply
Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
-Ed
June 18th, 2009 at 12:41 pm
Trust me, QSACs make a killing at on site assessments. They pound up the hours and bill the snot out of the merchant. The problem is there aren’t enough on site assessments to keep the legion of QSACs/QSAs busy year round.
My money says, the smart L2 merchants will drop MC in favor of cash, VISA/Amex/Discover/JCB and tell MasterCard to suck rocks.
June 18th, 2009 at 10:48 pm
Thanks for the kind words! One thing to remember (and I’ll post something about this tomorrow), most card brands have reciprocity with other brands when it comes to determining levels. Thus, ALL Level 2 merchants, regardless of brand (because if you are a Level 2 with Visa, you are a level 2 with most, including MasterCard) will now be subject to this new requirement.
June 20th, 2009 at 12:20 pm
According to the Society of Payment Security Professionals forum:
“Merchant level is defined by each brand (remember, the PCI Council owns the standards, but each brand enforces them). For example, while MC and Visa are aligned, Amex has only 3 merchant levels.
The key is to look at transaction count by brand. A common mistake I see is for merchants to total all their card transactions then look up their merchant level. Instead, read the requirements carefully: Visa only deals with Visa; MC with MC; Amex with Amex. Therefore I may have 10 million card trans per year, but if it is made up of 5 million Visa, 3 million M/C, and 2 million Amex, I’d be a Level 2 merchant.
The key is look at transactions by brand.
June 21st, 2009 at 6:50 pm
Hi,
You forgot to mention that a MasterCard Tier 2 Merchant is clasified as having transaction volumes FROM 1 million up to 6 million per annum.
Your article sounds like every merchant is a tier 2.
Regards,
Leslie Barrett
June 21st, 2009 at 8:46 pm
Editor’s Note: Leslie’s note is valid. Like every other publication, we struggle with how much we assume our particular audience knows. If we spell out too much, the audience gets offended and concludes that we don’t know that space. (Example: If The Washington Post defined what a U.S. Senator is for a story about the status of a particular piece of Senate legislation. Such an explanation could easily alienate its audience.)
We often ask readers and update our style policy as times change. There was a time when we felt the need to spell out what PCI was, but we no longer feel that way, at least for our core audience.
To your comment, we made the assumption that the subset of our readers who would have an interest in reading a piece about MasterCard changing its policies regarding PCI requirements …. we concluded that that particular subset of our audience would know what a Level 2 merchant meant.
That said, it probably wouldn’t have hurt to thrown in a standard description at the end, defining each PCI Level, at least from MasterCard’s perspective.
June 22nd, 2009 at 3:48 pm
Do we have any confirmation that Amex Level 2 (50k transactions) is -not- cause to be considered Level 2 for MasterCard?
I can’t imagine this would be true, but I need confirmation.
Thanks in advance!