The Coalfire Blog
Surprises Ahead for Some Level 2 Merchants
April 12, 2012, Chris Lietz, Vice President, Marketing & Channels
The PCI DSS has been around for years, and most PCI “pro’s” are familiar with the processes needed to validate compliance. However, insiders often forget that small changes to the guidelines can have a big impact on merchants.
One such change is upon us: MasterCard’s new validation guidelines for Level 2 merchants that are scheduled to take effect on June 30, 2012.
These guidelines were published so long ago that many people take it for granted that they are commonly understood. At Coalfire, we’re not so sure --- it seems that every day, we get a call from a merchant who received an unexpected notice from their credit card processor. These notices come as a result of the fine print in the chart below:
Source: MasterCard Site Data Protection and PCI: http://www.mastercard.com/us/company/en/whatwedo/determine_merchant.html
In short, the message is this:
“Congratulations, you’re now a Level 2 merchant. Under the guidelines set forth by the PCI SSC, we require you to submit:
“Clean” Quarterly Vulnerability Scan Reports, produced by a PCI ASV,
A PCI Self-Assessment report, completed by an Internal Security Assessor, or
A Report on Compliance from an Qualified Security Assessor.
Your due date is due by ___________.”
In all our years in the PCI business (that is, since the inception of the PCI SSC!), we’ve seen it time and time again: most merchants are un-prepared when their processor makes such request. In some cases, a trained assessor finds compliance gaps that weren’t detected on prior iterations of the SAQ; in other cases, it’s simply a timeline or resource problem – the deadline is upon them before they can do the assessment and gap-closing work required to produce a passing report. And not surprisingly, they aren’t happy about it.
That’s why Coalfire introduced a new program for the newly-notified Level 2 merchants. Via this program, we are offering (free!) tools to help freshly-minted ISAs, and QSA support that can jump start either internal or external validation efforts.
PCI compliance isn’t easy, but we want to do our part to help merchants come to grips with the task ahead. Read more on the Level 2 merchant support program.
<< Go Back
Blog post currently doesn't have any comments.