Jun 17 2009

Level 2 merchants are going to have to get serious about PCI

Published by at 11:51 am under General

Branden Williams at Verisign just posted that MasterCard is now requiring an on-site assessment for all Level 2 Merchants by a QSA.  This is huge because the Level 2 Merchant merchants have historically been able to simply fill out a Self-Assessment Questionnaire (SAQ) and call their PCI compliance done.  According to Branden, 30% of the answers merchants have been giving on the SAQ’s have been wrong and I’m willing to bet the wrong answers are little areas of compliance like log management and encryption.  You know, the small things that can be fixed by throwing a ton of money and time at them, if you have either in the current economy.

From a business perspective for QSA’s and their companies, this is huge.  The compitition to provide services to Level 1 Merchants and Service Providers hasn’t hit it’s peak yet, but it’s much harder than it was a couple of years ago.  I doubt many sales people were sweating and wondering how they were going to make their quota yet, but know they could see the issue coming.  Now they just have to go back and look at all the Level 2’s who they’ve been providing othe services for and they can start making all those calls to upgrade to having that QSA come on-site. 

This might be a good time for someone with access to such statistics to take a baseline of comprimise statistics and start seeing if the PCI requirements really are making us more secure or not!  Rather than having the constant argument of “it’s working/it’s just smoke and mirrors”, take a snapshot of what we know right now and let’s see if making the Level 2 Merchants have an on-site assessment is really working.  The Verizon Breach Report may be an excellent starting place for such statistics, especially when we’re able to review the stats year over year.  We won’t really be able to make the call until after the December 31st, 2010 deadline, but we need to get that baseline measurement in place now so we can see the affect.

I am guessing that there’s going to be a lot of QSA companies that get bigger this year as well as a whole slew of new companies started just to deal with the Level 2 Merchants.  I’m hoping that the quality of the assessors doesn’t fall because of the huge influx of QSA’s we’re needing to handle the work.  I have a pretty good idea what some of my collegues in the security field have of existing QSA’s, so I really don’t want them to have more ammunition to use in the battle over whether or not PCI is effective.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

5 responses so far

5 Responses to “Level 2 merchants are going to have to get serious about PCI”

  1. […] actually more concerned about the currently overworked assessors having their workload added to.  Martin McKeay notes the following: “I’m hoping that the quality of the assessors doesn’t fall because of the huge influx of […]

  2. […] Martin says, Level 2 merchants are now faced with a little bit higher bar to get over. Network Security Blog >> Level 2 merchants are going to have to get serious about PCI Tags: ( pci […]

  3. […] off, I have a cluster of stories on PCI.  MasterCard stunned a lot of us this week by changing the requirements for Level 2 merchant, making it mandatory for them to have an annual […]

  4. Dave Whiteleggon 24 Jun 2009 at 3:32 am

    I was speaking with some of the senior folk at Visa Europe about this recently, it is fair to say they were rather surprised by this move by MasterCard, and said Visa had no plans to follow suit in requiring level 2 merchants to under go an inaugural onsite assessment by a QSA.

    The cards schemes can set their own criteria in regards to PCI DSS assessment requirements; however I personally don’t think it is good for the PCI standard to have disjointed assessment requirements.

    I appreciate the competition laws, but for me PCI’s main strength is it is an industry agreed and accepted standard, so I am hoping this doesn’t lead to further fractures and disjointed messaging.

  5. Martinon 24 Jun 2009 at 1:24 pm


    I wish that this had been discussed with the industry as a whole before MC had gone through with it, but I see it as a good thing regardless. I’d heard rumors earlier this year that this was something that was being contemplated, but so far everyone I’ve talked to said the move caught them by surprise.


%d bloggers like this: