The Coalfire Blog

Welcome to the Coalfire Blog, a resource covering the most important issues in IT security and compliance. You'll also find information on Coalfire's insights into the unique cybersecurity issues that impact the industries we serve, including Cloud Service Providers, RetailFinancial Services, Healthcare, Higher Education, Payments, Government, Restaurants, and Utilities.

The Coalfire blog is written by the company's leadership team and our highly-credentialed security assessment experts. We look forward to your comments, so please join the conversation.

The Coalfire Blog

Surprises Ahead for Some Level 2 Merchants

April 12, 2012, Chris Lietz, Vice President, Marketing & Channels

Chris Lietz

The PCI DSS has been around for years, and most PCI “pro’s” are familiar with the processes needed to validate compliance. However, insiders often forget that small changes to the guidelines can have a big impact on merchants.

One such change is upon us:  MasterCard’s new validation guidelines for Level 2 merchants that are scheduled to take effect on June 30, 2012.

These guidelines were published so long ago that many people take it for granted that they are commonly understood. At Coalfire, we’re not so sure --- it seems that every day, we get a call from a merchant who received an unexpected notice from their credit card processor. These notices come as a result of the fine print in the chart below:

Source: MasterCard Site Data Protection and PCI:

In short, the message is this:

“Congratulations, you’re now a Level 2 merchant.  Under the guidelines set forth by the PCI SSC, we require you to submit:

  • “Clean” Quarterly Vulnerability Scan Reports, produced by a PCI ASV,

And either:

  • A PCI Self-Assessment report, completed by an Internal Security Assessor,  or
  • A Report on Compliance from an Qualified Security Assessor.

Your due date is due by ___________.”

In all our years in the PCI business (that is, since the inception of the PCI SSC!), we’ve seen it time and time again: most merchants are un-prepared when their processor makes such request. In some cases, a trained assessor finds compliance gaps that weren’t detected on prior iterations of the SAQ; in other cases, it’s simply a timeline or resource problem – the deadline is upon them before they can do the assessment and gap-closing work required to produce a passing report.  And not surprisingly, they aren’t happy about it.

That’s why Coalfire introduced a new program for the newly-notified Level 2 merchants.   Via this program, we are offering (free!) tools to help freshly-minted ISAs, and QSA support that can jump start either internal or external validation efforts. 

PCI compliance isn’t easy, but we want to do our part to help merchants come to grips with the task ahead.  Read more on the Level 2 merchant support program.

<< Go Back

Blog post currently doesn't have any comments.

Post Topics