It is that time of the year again. I have had calls from a number of Level 2 merchants in a panic about the upcoming MasterCard deadline. I also have a number of perspective clients that are saying, “Deadline? What deadline?”
To refresh everyone’s memory, three and a half years ago, MasterCard issued a directive that by June 30, 2010, all Level 2 merchants needed to either: (1) have a PCI SSC certified Internal Security Assessor (ISA) prepare their Self-Assessment Questionnaire (SAQ) or, (2) have a PCI SSC certified Qualified Security Assessor (QSA) conduct a PCI assessment and issue a Report On Compliance (ROC).
Because of the uproar this directive caused with their Level 2 merchants, MasterCard backed off on the 2010 date but set forth a new date of June 30, 2012. Now jump to the present, it is January 2012 and the calls from Level 2 merchants are starting to ramp up. These merchants are now in a panic because, guess what? Level 2 merchants put the ISA/ROC issue on the back burner and forgot about it until just now and they cannot afford to meet this requirement. Oops!
I have sent a message to MasterCard to confirm that the June 30, 2012 date is still valid. Until I have confirmation, if you look at MasterCard’s Web site, the June 30, 2012 date is still posted as the date you will need to meet the aforementioned requirements.
For all of you Level 2 merchants that accept MasterCard, I would highly recommend that you contact your acquiring bank and confirm the SAQ and ROC reporting requirements.
UPDATE: MasterCard confirmed on Thursday, January 26, 2012, that the June 30, 2012 date is going to be enforced.
MasterCard has clearly defined two options for level 2 merchants – 1) Send an internal resource to ISA training, have them complete and submit the SAQ, or 2) Engage a QSA to complete an annual on-site assessment RATHER than complete an SAQ.
I am a QSA, and given these two options, I have had some of our level 2 clients ask this question: “What if we engage you (QSA), to help us fill out our SAQ? Does that meet MasterCard’s requirement?” What is interesting about this question is it doesn’t technically meet either of the two options that MasterCard has provided, but I think we would all agree that a merchant is better off engaging a QSA to serve as the resource to guide them through the SAQ process, and serve the same role that the internal ISA-certified resource would fill. If I am a merchant, rather than spend money to get an internal resource ISA trained, I would hire a QSA that has been doing PCI for many years, and can provide clear guidance gained through experience. There is also a field on each SAQ version (part 1b) for a QSA to indicate that they were involved, even though they don’t sign the AOC (whereas they would sign it for a ROC).
I have not heard any specific guidance from MasterCard on this; it would make it easier if their second option provided a scenario where the QSA is engaged to either perform an assessment and issue a ROC, or provide assistance in filling out the SAQ. Although, this would admittedly create a lot of wiggle room for “how much” the QSA was involved.
Thoughts?
In prior conversations with MasterCard, they have indicated that if the Level 2 merchant is taking “option 2″ and hiring a QSA, then they expect a ROC and AOC to created. They have never once mentioned that an SAQ could be completed.
IF I go for ISA training in July/August/Sept 2012 and get ISA certified. Does that mean I am safe if I’m a level 2 Merchant? Or does the date mean I have to be trained before June 30th, 2012?
As a Level 2 merchant, you can file an SAQ without being an ISA as long as you file on or before June 30, 2012. After that date, the new rules apply.
I also remember MasterCard adding a 30 June 2011 date too, and backing off from that as well – http://www.2-sec.com/2010/01/08/onsite-qsa-requirement-for-level-2-merchants-reversed/
The key issue this presents is that Level 2 merchants must either use an ISA or a QSA. As the ISA programme is completely oversubscribed, it’s actually quite difficult to get on it, hence level 2s are getting pushed down the QSA route.
Fine, thanks, will accept the business, but as QSAs, we’re also oversubscribed and our day rates very high, so i do think it a bit unfair that in effect, Level 2 merchants are now being forced to use QSAs.
where on the website is this noted?
Look at the Merchant levels on this page.
http://www.mastercard.com/us/company/en/whatwedo/determine_merchant.html