Are You A Level 2 Merchant?

It is that time of the year again.  I have had calls from a number of Level 2 merchants in a panic about the upcoming MasterCard deadline.  I also have a number of perspective clients that are saying, “Deadline?  What deadline?”

To refresh everyone’s memory, three and a half years ago, MasterCard issued a directive that by June 30, 2010, all Level 2 merchants needed to either: (1) have a PCI SSC certified Internal Security Assessor (ISA) prepare their Self-Assessment Questionnaire (SAQ) or, (2) have a PCI SSC certified Qualified Security Assessor (QSA) conduct a PCI assessment and issue a Report On Compliance (ROC).

Because of the uproar this directive caused with their Level 2 merchants, MasterCard backed off on the 2010 date but set forth a new date of June 30, 2012.  Now jump to the present, it is January 2012 and the calls from Level 2 merchants are starting to ramp up.  These merchants are now in a panic because, guess what?  Level 2 merchants put the ISA/ROC issue on the back burner and forgot about it until just now and they cannot afford to meet this requirement.  Oops!

I have sent a message to MasterCard to confirm that the June 30, 2012 date is still valid.  Until I have confirmation, if you look at MasterCard’s Web site, the June 30, 2012 date is still posted as the date you will need to meet the aforementioned requirements.

For all of you Level 2 merchants that accept MasterCard, I would highly recommend that you contact your acquiring bank and confirm the SAQ and ROC reporting requirements.

UPDATE: MasterCard did confirm that the June 30, 2012 date was accurate.


7 Responses to “Are You A Level 2 Merchant?”

  1. February 3, 2016 at 5:24 PM

    What the risk for NOT being SDP certified for only being PCI complaint?

    • February 7, 2016 at 11:06 AM

      The point of getting listed on the Visa and MasterCard Service Provider lists is more of a marketing gambit than anything else. There are a lot of merchants that will not work with a service provider unless they are listed on one or both of those lists. It is not required of service providers, but a lot of sales and marketing people tend to drive organizations to be on those lists because they are loosing sales to others that are on those lists.

      • February 9, 2016 at 2:26 PM

        We are a merchant, not a service provider. Do we have to pass MasterCard’d PCI Site Data Protection (SDP), in addition to passing PCI test?

      • February 11, 2016 at 7:56 AM

        If you accept MasterCard payment cards for payment, then under your Merchant Agreement you must comply with MasterCard’s security program (SDP) as well as all relevant PCI requirements. This is true for all card brands you accept. All the card brands have security requirements for merchants above and beyond the PCI DSS. It is up to you to go to all the card brand Web sites and find those additional requirements.

  2. February 3, 2016 at 4:44 PM

    Now it is 2016 and PCI 3.1. Can we Level 2 do SAQ by ourselves (without QSA and without ISA) to be PCI compliant?

    SAQ done by internal ISA will have an EXTRA benefit to be listed on MasterCard compliance list. But it is NOT a PCI requirement, per my understanding.


    • February 7, 2016 at 11:04 AM

      In order to be listed on MasterCard’s Service Provider list, you must use a QSA and produce a ROC. The whole point of that process is to have an independent assessment against the full set of testing. So doing an SAQ D by an ISA is not an option.

    • February 11, 2016 at 8:01 AM

      Based on your last comment that you are a merchant, not a service provider, here are your options. As a level 2 merchant, MasterCard requires you to either have: (1) a Qualified Security Assessor (QSA) assess your organization under a Report On Compliance (ROC), OR (2) you may do the appropriate self-assessment questionnaire (SAQ) conducted by a PCI SSC certified Internal Security Assessor (ISA).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


January 2012
« Dec   Feb »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,941 other followers


%d bloggers like this: