Are You A Level 2 Merchant?

It is that time of the year again. I have had calls from a number of Level 2 merchants in a panic about the upcoming MasterCard deadline. I also have a number of perspective clients that are saying, “Deadline? What deadline?”

To refresh everyone’s memory, three and a half years ago, MasterCard issued a directive that by June 30, 2010, all Level 2 merchants needed to either: (1) have a PCI SSC certified Internal Security Assessor (ISA) prepare their Self-Assessment Questionnaire (SAQ) or, (2) have a PCI SSC certified Qualified Security Assessor (QSA) conduct a PCI assessment and issue a Report On Compliance (ROC).

Because of the uproar this directive caused with their Level 2 merchants, MasterCard backed off on the 2010 date but set forth a new date of June 30, 2012. Now jump to the present, it is January 2012 and the calls from Level 2 merchants are starting to ramp up. These merchants are now in a panic because, guess what? Level 2 merchants put the ISA/ROC issue on the back burner and forgot about it until just now and they cannot afford to meet this requirement. Oops!

I have sent a message to MasterCard to confirm that the June 30, 2012 date is still valid. Until I have confirmation, if you look at MasterCard’s Web site, the June 30, 2012 date is still posted as the date you will need to meet the aforementioned requirements.

For all of you Level 2 merchants that accept MasterCard, I would highly recommend that you contact your acquiring bank and confirm the SAQ and ROC reporting requirements.

UPDATE: MasterCard confirmed on Thursday, January 26, 2012, that the June 30, 2012 date is going to be enforced.

Like this:

Be the first to like this post.

Announcements

The Encryption Basics (http://pciguru.wordpress.com/2012/01/01/encryption-basics/) posting has been updated to reflect changes recommended by Andrew Jamieson to improve the accuracy of the post.

At the bottom of this sidebar, you can now subscribe to the PCI Guru blog through either RSS or email. Pick your preferred subscription method and keep up to date with the PCI Guru.

3 Responses to “Are You A Level 2 Merchant?”

Feed for this Entry Trackback Address

1 Tim Holman
January 26, 2012 at 7:33 AM

I also remember MasterCard adding a 30 June 2011 date too, and backing off from that as well – http://www.2-sec.com/2010/01/08/onsite-qsa-requirement-for-level-2-merchants-reversed/

The key issue this presents is that Level 2 merchants must either use an ISA or a QSA. As the ISA programme is completely oversubscribed, it’s actually quite difficult to get on it, hence level 2s are getting pushed down the QSA route.

Fine, thanks, will accept the business, but as QSAs, we’re also oversubscribed and our day rates very high, so i do think it a bit unfair that in effect, Level 2 merchants are now being forced to use QSAs.

2 Michael
January 24, 2012 at 11:42 AM

where on the website is this noted?

- 3 PCIGuru
  January 24, 2012 at 5:30 PM
  
  Look at the Merchant levels on this page.
  
  http://www.mastercard.com/us/company/en/whatwedo/determine_merchant.html

M	T	W	T	F	S	S
« Dec				Feb »
						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30	31

PCI Guru