PCI Human Train Wreck Coming Next Year For Level 2s
Written by Walter ConwayNovember 30th, 2009
Many Level 2 merchants are just now realizing that their PCI world has changed. Under rules announced this summer, Level 2 MasterCard merchants—like their Level 1 brethren—will require an onsite assessment by a QSA starting in 2010. But how big a difference, asks PCI Columnist Walter Conway, is there really between self-assessing and an onsite review? Actually, there are 525 differences.
Conway's concern is the almost inevitable fourth quarter 2010 PCI train wreck as the new rules collide with human frailty and the calendar. The result may be that even some Level 1 merchants and processors don’t get their assessments (and ROCs) completed on schedule.
This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.
Already a Subscriber? Login Here
Pages: 1 2
6 Comments | Read PCI Human Train Wreck Coming Next Year For Level 2s
Leave a Reply
Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
-Ed
November 30th, 2009 at 3:38 pm
This is retail, folks. Year end deadlines are really unacceptable and should be moved to mid-year…July 31st for example. If you’re like my company….nothing can happen in the last 6 weeks of the year as we lock down for the holidays. These people totally have their heads in the sand.
November 30th, 2009 at 8:23 pm
Thanks for the comment, John, and you raise a great point. I am regularly mystified by how particular dates get picked by the PCI Council and other bodies. For example, what’s special about June 30 for replacing WEP encryption (or the March 31, 2009 end date for new WEP applications) or October for the updated DSS? But these really pale compared to the year-end date chosen by MasterCard which conflicts with seasonal system freezes…including their own!
Let’s hope someone there will catch this. I fear the only reasonable alternative might be for acquirers to cut merchants some slack, to the extent they can. At least we can hope!
Your best bet is to fight human nature and get cracking on your on-site earlier in the year. This way it’s done. And as I pointed out, there is no economic benefit to waiting – you have to validate annually, so doing it earlier or later costs the same.
December 1st, 2009 at 10:24 am
Walt,
This article has generated a lot of interest with retailers facing the dreaded MC L2 issue. Not surprisingly, some acquirers are questioning the veracity of the relaxation of “reciprocity”. Is there anything in the public domain from MC to substantiate this?
To John’s comment, I have been constantly surprised at the lack of knowledge about retailing exhibited by those setting mandates (cost burdens to be added to timing issue). Acquirers are in the same boat as merchants – not knowing/understanding what is coming down the pipe next. Only recourse is to get involved in the process and get vocal!
Thanks for the article!
December 1st, 2009 at 12:29 pm
I agree very much with your suggestion, Gray, that every large merchant should get involved in the PCI process. The good news is that I understand there are well over 300 Participating Organizations. Now all we need to do is make sure everyone is heard! The Council is listening, now we just need to work with the brands a little more.
As for reciprocity, here is a link to MasterCard’s merchant definitions: http://www.mastercard.com/us/sdp/merchants/merchant_levels.html. If you read it carefully, you’ll note the reciprocity provision in the merchant level definitions (e.g., “or if you are considered a Level X by any of the other card brands”) is gone. You should also check out their FAQ (issued two months after the fact…) here: http://www.mastercard.com/us/sdp/assets/pdf/SDP%20Program%20Revisions%20FAQ.pdf
December 17th, 2009 at 8:47 pm
I have a follow-up to Gray’s questioning my statement on MasterCard’s reciprocity being relaxed. He’s right; I was wrong.
I have been in contact with MasterCard and they corrected me: “we [MasterCard] never removed reciprocity from our rules. The language was simply changed from “competing brand” to “visa”. the “competing brand” lanugage has been in the rules since 2005 and this was meant to facilitate alignment between MasterCard and Visa.”
I stand corrected. That means that not some but ALL L2 merchants will need an onsite. See the latest on these developments with some good news here: http://www.storefrontbacktalk.com/securityfraud/mastercard-blinks-drops-dec-31-level-2-pci-deadline/
December 22nd, 2009 at 5:07 pm
I wanted to comment on the dates. I agree that they seem to be timed poorly for certain retailers. while for others it fits well. Working with software vendors we find that depending on the industry, certain times of the year are good and other are not.
For example, a college book seller will need to be locked down both in September and in January and the holidays are not as big a deal. While a Bridal shop will state that March through June nothing can change. Your standard Big box stores will tell you that Back to school and Holidays are locked down. Also depending on what region of the world you are in it can change. The US Thanksgiving is the biggest shopping day of the year for the US, while in Canada Boxing day is the big sales day.
So we find that if you are involved with enough retailers, in different verticals, and different regions of the world, there is never a good time to implement changes.
It has been my experience, however, that as long as there is a process to implement changes and the merchant can provide evidence that the process is followed, usually there can be some leniency given to the implementation of a mandate.