Post Archive
Tags
2.0 3.0 Agency Assessment assessments audit Breach BYOD cloud Compliance Cyber cybersecurity Data DRG DSS e-banking encryption engineering federal FedRAMP FISMA forensics government GRC hacker hacking Health Healthcare HIMSS HIPAA HITECH IT labs legislation merchant mobile Navis News NRF P2PE PA-DSS password passwords Payments PCI penetration pentesting policy Privacy program Retail Risk RSA security security. Self-Assessment social State test Testing Virtualization web

The Coalfire Blog

Surprises Ahead for Some Level 2 Merchants

April 12, 2012, Chris Lietz, Vice President, Marketing & Channels

Chris Lietz

The PCI DSS has been around for years, and most PCI “pro’s” are familiar with the processes needed to validate compliance. However, insiders often forget that small changes to the guidelines can have a big impact on merchants.

One such change is upon us:  MasterCard’s new validation guidelines for Level 2 merchants that are scheduled to take effect on June 30, 2012.

These guidelines were published so long ago that many people take it for granted that they are commonly understood. At Coalfire, we’re not so sure --- it seems that every day, we get a call from a merchant who received an unexpected notice from their credit card processor. These notices come as a result of the fine print in the chart below:


Source: MasterCard Site Data Protection and PCI: http://www.mastercard.com/us/company/en/whatwedo/determine_merchant.html


In short, the message is this:

“Congratulations, you’re now a Level 2 merchant.  Under the guidelines set forth by the PCI SSC, we require you to submit:

  • “Clean” Quarterly Vulnerability Scan Reports, produced by a PCI ASV,

And either:

  • A PCI Self-Assessment report, completed by an Internal Security Assessor,  or
  • A Report on Compliance from an Qualified Security Assessor.

Your due date is due by ___________.”


In all our years in the PCI business (that is, since the inception of the PCI SSC!), we’ve seen it time and time again: most merchants are un-prepared when their processor makes such request. In some cases, a trained assessor finds compliance gaps that weren’t detected on prior iterations of the SAQ; in other cases, it’s simply a timeline or resource problem – the deadline is upon them before they can do the assessment and gap-closing work required to produce a passing report.  And not surprisingly, they aren’t happy about it.

That’s why Coalfire introduced a new program for the newly-notified Level 2 merchants.   Via this program, we are offering (free!) tools to help freshly-minted ISAs, and QSA support that can jump start either internal or external validation efforts. 

PCI compliance isn’t easy, but we want to do our part to help merchants come to grips with the task ahead.  Read more on the Level 2 merchant support program.

<< Go Back

Trackback URL: http://www.coalfire.com/trackback/91da8207-bdff-4a04-9c93-a73f421357d5/Surprises-Ahead-for-Some-Level-2-Merchants.aspx?culture=en-US

Comments
Blog post currently doesn't have any comments.