MasterCard SDP Revisited For Level 2 Merchants

I have had some clients contact me in the last couple of weeks regarding MasterCard’s Site Data Protection (SDP) program.  Specifically, what is MasterCard’s position regarding Level 2 merchants generating a Self Assessment Questionnaire (SAQ)?  All of these merchants intend to conduct their own SAQ but wanted to make sure that was still acceptable under the MasterCard SDP rules.  Last year there was a lot of confusion since MasterCard pulled back on their decision to require Level 2 merchants to have a QSA conduct an on-site PCI assessment.  However, I thought the new rules were straight forward and did not realize that there could be confusion until I started getting questions.

If you go to the MasterCard Web site and to the Merchant Levels Defined page, you will see the following information regarding Level 2 merchants.  Under the column “Onsite Assessment”, MasterCard states that it is under the merchant’s discretion with a reference to footnote number two.  Under the “Self Assessment” column, it says that the self assessment is required annually and also references the number two footnote.  Footnote two states the following.

“Effective 30 June 2011, Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC-offered merchant training programs and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA rather than complete an annual self-assessment questionnaire.”

The key date to remember is June 30, 2011.  In my humble opinion and based on previous PCI pronouncements, if you can get your SAQ effort started before June 30, 2011, you can do it internally with any staff you choose.  However, from June 30, 2011 and forward, Level 2 merchants that wish to do an SAQ must use personnel that have attended and pass the PCI SSC Internal Security Assessor (ISA) program annually.  To be safe, I would confirm your plans with your acquirer before you start just to ensure that you are not going to get in trouble when you submit your SAQ.

Where things get confusing is MasterCard’s use of the phrase “at their own discretion” in describing their alternative.  The reason I think this is confusing is that their alternative seems to be hardly discretionary.  As near as I can tell, if a merchant does not have their staff attend and pass the PCI SSC’s ISA training annually, then the merchant is required to have a QSA conduct an annual on-site assessment (code words for a Report On Compliance or ROC).  In my book, that seems hardly discretionary.  That is an either you do it one way or you do it another way, but you are going to pick one.  I suppose MasterCard is trying to soften the blow by indicating that it is up to the discretion of the merchant which option they choose.

In the end, there is hardly a nice choice.  ISA training is not exactly cheap and, for most merchants, requires travel in addition to the cost of the training, let alone making sure that a merchant has staff capable of passing the ISA course and conduct such an assessment.  And that is an annual cost, not just a one-time expense.  I am also sure that ISAs will have to keep work papers meet other requirements that QSAs are required to meet, so there is more work and costs.  Then there is the cost of a QSA conducting an on-site assessment which is also not cheap.  It will all come down to the type of SAQ that the merchant would fill out.  However, I have to admit, that most Level 2 merchants would end up with SAQ D which is not exactly a small task to complete.  Which is why we have always referred to SAQ D as “ROC Lite.”

So it appears that Level 2 merchants that take MasterCard are damned if they do, and damned if they do not.  Pick your poison my friends.


7 Responses to “MasterCard SDP Revisited For Level 2 Merchants”

  1. 1 Jonatan Pregliasco
    April 14, 2015 at 1:27 PM

    Hello PCI Guru. I was making some research about this and, as always, I got redirected right here by google (I guess that’s why u’re being named Guru, right? haha)
    Regaring this matter. Would you agree that an external QSA could also perform the SAQ Self Assesment for a Level 2 Mastercard Market in case they want it?
    I mean, does it really need to be an Internal ISA? QSA are, in escense, meant to have the same or more knowledge about PCI so I actually think it would be acceptable to have a QSA conducting a Self Assesment for a Level 2 company (Not a RoC and On Site Assesment).
    In addition, the AoC clearly asks for a definition of the role that the QSA or ISA took during the self assesment.

    Thanks again for your opinnion!

    • April 14, 2015 at 6:48 PM

      Since 2012, if you are designated as a level 2 merchant by MasterCard, you are required to perform a Report On Compliance (ROC). An SAQ is not acceptable. The ROC can be performed by either an ISA or a QSA. These rules are posted on the MasterCard Web site.

      • 3 Jonatan Pregliasco
        April 15, 2015 at 5:02 AM

        Thank you so much for the quick answer.
        I’m looking at Mastercard’s website (SDP website) and I seeing that for level 2, both self assesments (SAQ performed by an ISA) or On site assesment (RoC performed by a QSA) are acceptable. Is there something I’m actually missing? If you could please point it out I will be more than thanked!

      • April 15, 2015 at 2:22 PM

        It was way too early this morning when I replied. You are correct. An ISA can do an SAQ or an organization can hire a QSA and do a ROC.

      • 5 Jonatan Pregliasco
        April 16, 2015 at 5:34 AM

        hahah don’t worry! It put me back to the 1st doubt I had. In your opinion, would an external hired QSA play the ISA internal role in terms of validation for the SAQ? (I know the final word would still rely on the acquirer so that’s why I’m just asking for your thoughts 🙂 )
        Thanks again Sir!

      • April 16, 2015 at 5:50 AM

        The MasterCard site is pretty clear.

        “Effective 30 June 2012, Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC ISA Training and pass the associated accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved Qualified Security Assessor (QSA) rather than complete an annual self-assessment questionnaire.”

        This is an “either or” situation. You either have a trained and accredited ISA do a self-assessment (i.e., SAQ) OR you hire a QSA and do a Report On Compliance (ROC).

        All of this said, I would talk to your acquiring bank and get them to formally agree to a QSA doing an SAQ instead of a ROC to meet the MasterCard requirement.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


The PCI Guru will be LIVE on Wednesday, May 17, with the "PCI Dream Team" to discuss your worst PCI compliance issues. Go to https://www.brighttalk.com/webcast/288/245165/all-your-pci-questions-answered-interactive-q-a-with-the-pci-dream-team to register for this event.

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


December 2010
« Nov   Jan »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,814 other followers

%d bloggers like this: