Level 2 Merchants Beware: Your PCI validation process could be changing
If your business processes between 1 million and 6 million credit card transactions annually and you accept MasterCard as a form of payment, your PCI validation process is probably about to change.
Up until June 30, 2012, virtually all Level 2 merchants (defined by both Visa and MasterCard as any merchant processing between 1 million and 6 million transactions annually) could validate PCI compliance by simply completing a self assessment questionnaire (SAQ). This self-reporting structure relied upon the merchant's correct assessment of its compliance with the PCI Data Security Standard (DSS).
As of June 30, however, MasterCard began stipulating that all Level 2 merchants utilize a PCI security expert to both assess and validate their PCI DSS compliance. This change is a departure from the other major card brand (Visa, AMEX, Discover and JBC) validation requirements; up until this change, each card brand's guidelines regarding merchant levels and validation type had been very similar.
Before going any further, it is important to understand that being "compliant" is completely different from validating that compliance. PCI compliance is an ongoing state of credit card data security that all merchants and service providers (i.e., any entity that stores, processes or transmits cardholder data) must adhere to at all times. This means that PCI compliance is a state of being and as such is a continuous, ongoing process. Compliance validation, on the other hand, is the annual activity of attesting to your organization's state of ongoing compliance.
Two ways to validate
According to the new MasterCard requirement, Level 2 merchants have two options for annually validating their PCI compliance:
- Training an internal employee to become an ISA (Internal Security Assessor) — Merchants choosing this path can continue with the self-assessment process, as long as their staff includes a formally-trained ISA employee who remains in good standing with the PCI SSC. This person must then perform the annual self assessment, which includes completing the SAQ.
- Hiring a Qualified Security Assessor (QSA) to perform the audit — This option allows the merchant to rely on an external, fully-trained (and PCI SSC-qualified) security professional for its annual validation in lieu of training its own staff member(s). The QSA will conduct a PCI DSS audit and issue a formal Report on Compliance (also referred to as a RoC).
Regardless the option you choose, a formal PCI DSS assessment involves a higher level of scrutiny than the traditional assessment Level 2 merchants were performing. In other words, you should expect the newly required validation process to take longer and involve more of your resources/personnel. In addition, either option will add to your annual validation expenses (there are fees associated with ISA training and annual re-qualification).
Choosing the right path for your business
According to the PCI SSC, "ISA training is intended primarily for individuals who already possess significant relevant security audit and assessment experience (including but not limited to Network Security, Application Security and Consultancy, System Integration, and Auditing)"; therefore, Level 2 merchants who already have an experienced, on-staff information security professional may be able to support this option.
Most Level 2 merchants, however, will find that hiring a QSA to perform the annual audit is the appropriate path for their business to take, given that the QSA comes equipped with in-depth knowledge of PCI and data security. In addition, QSAs provide an objective, unbiased, third-party assessment of the security controls in place from a PCI compliance standpoint. A seasoned QSA can make all the difference when it comes to streamlining internal processes and controls for easier compliance down the road.
How to prepare
If your business has historically performed self assessments, it's important to know your annual credit card transaction volume. This will help determine the likelihood of receiving notification from your acquiring back or card brands stating that you are considered a Level 2 merchant and must now follow the MasterCard rule. (Note that while the rule went into effect on June 30, its enforcement will be ongoing and widely variable over the next few years.)
Even if your organization is close to processing 1 million transactions annually and can still self-assess, preparing for a more formal assessment is never a bad idea. Assessment preparation usually involves a "pre-audit" or assessment that helps merchants fully understand the cardholder data environment and how the PCI DSS controls apply to it. Preparing in this way will help the more formal PCI DSS assessment now required by MasterCard go more smoothly.
Data security is paramount
MasterCard's new Level 2 compliance validation requirement necessitates a closer look at internal data security controls that protect the merchant and their customers from data loss and theft. While the additional time and money may appear to be nothing but an inconvenience, the overall benefit of an expert assessment is immeasurable when it comes to the security of your business. And, as mentioned, a formal assessment (particularly by a QSA) can actually reduce your compliance-related expenses over time.
As always, I encourage you to contact ControlScan at 1-800-825-3301 X3 with any questions you may have regarding the security of your payment transactions and sensitive data. We are happy to help.