Are You A Level 2 Merchant? Beware The MasterCard Trap

I had a discussion with a prospective client and as things usually go you want to determine their merchant level.  As it turned out, they were confused about the differences between Level 3 and Level 4 and their bank was just as confused.  The merchant had a 2 to 1 advantage in Visa transactions (around 800K) over MasterCard and, in total, had more than one million transactions across all card brands.

When their bank couldn’t decide their merchant level, the bank referred them to Visa since the bank was affiliated with Visa.  Visa informed the merchant that they were considering them a Level 2 merchant because of the high volume of eCommerce transactions (80%+) and their total transaction count for all payment cards (around 1.3M).

With this information in hand I said, “Well, it looks like you’ll be doing a ROC.”

The CFO at the other end of the WebEx exclaimed, “Say what!  Why do we need to do a ROC?  The standard says we can do a self-assessment!”

Sadly, another merchant gets caught flatfooted by the card brand rules.  People think that the PCI DSS and other PCI standards are all they have to worry about for card payment compliance.  However, the card brands (i.e., Visa, MasterCard, American Express, Discover and JCB) also have their own security programs in addition to the PCI standards and those also need to be followed.  Think that is not the case?  That Merchant Agreement from the bank that someone in the merchant’s organization signed calls out that not only do PCI standards need to be followed but also the rules from the card brands the merchant has agreed to accept for payment (almost always Visa and MasterCard with one or more of the others) also need to be followed.

One of those “quirks” in the card brands’ programs that comes up is this one regarding Level 2 merchants and MasterCard.

The first thing everyone needs to remember is that if a merchant is at a certain merchant level for one card brand, they are at that merchant level for ALL the card brands.  The second thing to remember about merchant levels is that any of the card brands can set the merchant level for a merchant regardless of transaction volume.  I have had merchants end up as a Level 1 merchant with fewer than 30K transactions all because the dollar value per transaction was extremely high as with business to business (B2B) transactions.

With that information, a merchant now needs to go to the card brands’ Web sites for the brands you accept and review their rules.  If you go to the MasterCard Web site to the page titled ‘What merchants need to know about securing transactions’ and scroll down to the merchant level requirements for Level 2, you will see footnote 3 next to the requirement “Onsite Assessment at Merchant Discretion”.  That footnote states the following:

“Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC ISA Training and pass the associated accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved Qualified Security Assessor (QSA) rather than complete an annual self-assessment questionnaire.”

For an organization to get an employee trained as an ISA, you need an employee with backgrounds in compliance and technology.  Typically, this would be someone in the internal audit department that a lot of Level 2 organizations do not have or if they do have, the people do not have the time to take on PCI. Then there is the cost which is $3,100 USD plus travel expenses since most ISA training is not done locally unless you are lucky. And finally, there is the employee retention issue after such an investment.

In the end, most Level 2 organizations do not see the cost benefit of training one of their employees to be an ISA in order to do an SAQ.  As a result, that is why I get to my comment about Level 2 merchants doing a ROC.

Oh, and for the record, the PCI standards do not dictate which organizations can fill out a self-assessment questionnaire (SAQ) and which fill out a Report On Compliance (ROC).  The card brands dictate that based on merchant and service provider levels.  In this case, MasterCard has its own ideas in that regard when it came to Level 2 merchants.

21 Responses to “Are You A Level 2 Merchant? Beware The MasterCard Trap”

  1. 1 Seth Kusiak
    May 29, 2020 at 5:10 PM

    Hello, in this post, you wrote: “The first thing everyone needs to remember is that if a merchant is at a certain merchant level for one card brand, they are at that merchant level for ALL the card brands” — I’m unable to find any information that supports that. If I go to MasterCard under level 3, they note that it includes “Any merchant meeting the Level 3 criteria of Visa” — it doesn’t say anything about all card brands. I ask because the AMEX card brand has a Level 3 merchant making out at 50K transactions per year. if a merchant is a level 3 for visa and mastercard but a level 2 for AMEX, does that mean that the merchant is level 2 for visa and mastercard as well even thought they don’t call our AMEX?

    • May 30, 2020 at 3:58 PM

      It is an old rule from the original days of the PCI DSS and actually predates the DSS. Visa and MasterCard have always agreed on their merchant and service provider levels. Discover slowly adopted them but
      AmEx and JCB have always had their own. However, the rule is that the highest merchant level is the merchant level for all of the payment card brands accepted.

      If you do not accept a payment card brand then the classification with the unaccepted brand is irrelevant.

      However, if you accept Visa, MasterCard and Discover and you are a Level 2 merchant for Visa but Level 4 for MasterCard and Discover, you are a Level 2 for all.

      You would have to confirm that fact with your bank or the brands involved, but that is how it has worked since the levels were invented.

  2. 3 gmanpmp
    February 17, 2020 at 8:01 AM

    One note on the employee retention for sending someone for the PCI-ISA training. The PCI-ISA certification is tied to the employer, so the employee would lose it when they leave the company. However, once they earn an ISA certification, they can apply for, along with a small fee, the PCIP certification which is tied to the individual and is portable to other jobs.

    • February 17, 2020 at 11:36 AM

      From page 2 of the ISA Program Guide.

      “ISA qualification is not transportable, and qualification as an ISA or Sponsor Company is not assignable or transferable. An individual’s ISA qualification applies only for their Sponsor Company (and not for any other organization), and only while that individual remains employed by the Sponsor Company that employed him or her when initially qualified as an ISA (the “Initiating Sponsor Company”).”

  3. 5 Shmuel
    January 14, 2020 at 1:31 AM

    What is written in the article is not relevant. The acquirer needs to decide what is the propper level based on the entire merchant activity without any connection to the brands.
    This is not professional to close eyes and to look on the exposer of a merchant based on specific brand traffic. You should look on all the traffic and by that to decide the merchant level

    • January 16, 2020 at 8:19 AM

      That is NOT what the Brands will tell you. A bank might look at it that way based on their risk exposure. However, a Brand has every legal right to overrule any acquiring bank’s decision on merchant or service provider level. I know this because I have seen it happen where a brand decides unilaterally to make an organization Level 1. Does it happen often? Not sure. But it can happen and the last thing you want is to have it happen by surprise after you have submitted your assessment. That is why it is important to have discussions with your bank before filing so that you file the correct paperwork.

  4. December 9, 2019 at 8:17 AM

    Correct me if I’m wrong but since they were doing over 300k transactions they would have to be PCI DSS Level 1 compliant anyway?!

  5. 10 Robert
    December 9, 2019 at 8:08 AM

    The point is that the QSA would be engaged with the customer in the capacity of an ISA, not a QSA. This form of consultancy engagement is available from several QSACs. The level of effort expended in a self-assessment is less than that expended in an on-site and therefore the cost of the engagement is proportionally lower than a full on-site, to the point where it make economic sense for the client. The PCNs accept AOCs/SAQs conducted under this engagement model.

    BTW, classifying a merchant based on average transaction value is not part of any PCN rulebook. The person who did that performed a dis-service to the merchant.

    • December 9, 2019 at 10:08 AM

      Sorry. A QSA cannot “act” as an ISA. According to the Council, you are either one or the other, but cannot be both. I ran into this at a very large client where I was doing SAQ assessments for a number of their business units. The Council required either my QSAC management signed off on the AOC as a QSA or their internal ISA signed off (in addition to the client’s management). My management preferred that the client’s ISAs signed off.

      FYI You go ahead and argue with the card brands over that classification. They will tell you to bugger off and that it is none of your business.

      • 12 Robert
        January 6, 2020 at 10:56 AM

        The situation you described with your very large client is unique, in that there were both ISAs and QSAs present. I would agree with the decision. In the case were a merchant is L2 but does not have an ISA in-house, they have to be able to complete the appropriate SAQ. As an acquirer, we have no qualms about having the merchant engage a QSA to perform the self-assessment and submit the paperwork. The nature of the engagement is between the merchant and the QSAC.

        Making a merchant validate using a higher PCI merchant level is not the way to offset the financial risk posed to the acquirer by a merchant with high per-transaction values (yet low transaction volumes). As I said, that was a dis-service to the merchant. Rather the acquirer should have imposed reserve funding as the usual means to mitigate that potential financial risk. The decision to use reserve funding is outside the purview of the PCNs so there would be no need to argue with the card brands.

      • January 6, 2020 at 12:12 PM

        All I am trying to do is explain the rules as they are promulgated by the card brands as those rules usually get missed and then merchants end up getting blind sided by their bank or the brands.

        I am glad that you are reasonable in how you handle your merchants but not everyone is so reasonable for a variety of reasons.

  6. 14 QSAsteve
    December 9, 2019 at 3:27 AM

    Mastercard advsied us some tme back that while a level 2 mrchant needed an on-site audit, the output could indeed be a certified SAQ instead of a RoC. I’ve followed this approach and never had any push back from an acquirer.

    • December 9, 2019 at 10:10 AM

      The key is that you asked. A lot of times they answer like they did for you, but no always. That is why the merchant needs to ask to confirm what they should do for reporting.

  7. 16 Dan
    December 8, 2019 at 8:09 PM

    Hey PCIGuru,

    Could this not be an assisted SAQ with the QSA and not a full ROC?
    The wording from Mastercard never states it’s a ROC, just “annual onsite assessment”. They then talk about that below.

    “Onsite or Self-Assessment
    A detailed assessment performed by a PCI SSC certified Qualified Security Assessor (QSA) or by a certified
    Internal Security Assessor (ISA). The assessment validates to the acquirer that the organization is handling card data in accordance with the Payment Card Industry Data Security Standards (PCI DSS).
    Applies to: Level 1 and 2 Merchants”

    Given “a detailed assessment” certainly sounds like a ROC, but can an ISA even complete a ROC document? I was under the impression they were limited to SAQs?

    Has anyone reached out to Mastercard for clarification?

    • December 8, 2019 at 8:13 PM

      What would be the point of purchasing a QSA and not do a ROC? That SAQ is going to cost you some serious change, so why not get your money’s worth?

      • December 8, 2019 at 8:45 PM

        Who says the QSA has to do the SAQ at all? The ISA can complete it. QSAs are good for “consulting” and reviewing our completed SAQ with us before submission. Nothing wrong with a second opinion and/or second set of eyes. Sometimes the ISA needs the QSA to back them up as the “external consultant” even though we are both saying the same thing.
        (PS- go ahead and approve my full response)

      • December 9, 2019 at 10:16 AM

        Yes, a second set of eyes is a good idea.

        The problem with your logic is that the vast majority of Level 2 merchants do NOT have an ISA employee. The reason is that they are too expensive to hire, train and retain. If you are an ISA at a Level 2 merchant, you are in the minority.

      • 20 Dan
        December 8, 2019 at 11:37 PM

        Cost of a ROC vs cost of an SAQ.
        Because for a lot of organizations, price is the primary driver for every decision, including their PCI assessment.

        What’s with all these different requirements from different payment brands regarding merchant levels, reporting requirements and PFI reporting timelines. I feel all the card brands should get together and create…. I dunno a council or something and align on all of these things, so that merchants and service providers don’t have to spend eons of time pouring through each card brands individual program documents.

      • December 9, 2019 at 10:13 AM

        No doubt that, unfortunately, cost is everything to a lot of organizations.

        Because it is the card brands’ prerogative to have their own rules. Be thankful that they got together on the PCI standards as it was a mess before the Council as they all had their own forms, frameworks and programs.

        For the most part, Visa, MasterCard and Discover tend to all operate under the same rules with some exceptions. But it is those excepts that tend to catch organizations which is why I try to highlight them.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

December 2019

%d bloggers like this: