Level 2 Merchant Validation
February 13th, 2007 by datasecurity Posted in Compliance, Merchant, PCI DSS, QSA
Max asks:
From the literature i’ve consulted, it seems that the only actions i need to do if i am a level 2 merchant is fill out and submit my self-assessment and my network scan report. However, we have a consulting firm that is telling us that we must first “validate” the questionnaire with them (and of course, this costs in the 6 digits).
Can you confirm or infirm this? I don’t really see anywhere in the VISA or PCI documents that I require to have anyone else “validate” my questionnaire.
You are correct in that Level 2 Merchants (in the US) are only required to submit to their acquiring bank the Self-Assessment Questionnaire (SAQ) and a clean scan from their Approved Scan Vendor (ASV).
That is it. You are not required to hire anyone.
That being said, the SAQ can be difficult for some smaller merchants to validate and it is helpful to hire a Qualified Security Assessor (QSA) to help with this process. It is important to know that the SAQ is a shortened version of the Security Audit Procedures (SAP), which is a great place to find answers to your questions of what a particular requirement means.
THAT being said, I would never pay 6 figures to a QSA to assist a Level 2 merchant fill out their SAQ. That is just way too high to provide some simple consulting skills.
You can find all these forms and more informaiton on the PCI Security Standards Council website. And please post these questions or look for answers in the PCI forum forum.pcianswers.com.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
One Response to “Level 2 Merchant Validation”
By Mark Mac Auley on Feb 14, 2007
I have heard this as well from a retailer in PA. Here is the deal/scam/racket or business proposition…
The scanning/auditing consultants recommend and offer their service. In this case is is the Verisign auditors. They in turn let the Verisign sales team know that there are issues and hence the Verisign sales team should call to discuss Verisign solutions with them.
If you have been in IT for more than a few years you know why Accenture and Andersen consulting are two very separate organizations - auditors have a conflict of interest if the company they work for also provides services and/or products designed to fix what is found to be non-compliant.
Do yourself a favor - go through the process yourself, learn what you don’t know and then bring in the fix it guys to fix what is wrong. Or outsource everything and mitigate your risks that way.
I was in the consulting business for years and here’s the deal - the validation is a way for consultants to uncover everything that is wrong and find more problems to fix and to ‘properly scope’ what you need done.
Scope it yourself, send it to several vendors, let them know the scoping has been done and the top 3 things you need adressed are 1,2, and 3. If they want to scope something tell them you’ll pay for 2 days, the rest is on their nickel.
I can recommend a solution that will audit your entire environment, and give you more detail in 2 days than a team of consultants can in 2 weeks. It wasn’t designed for PCI audit but one of my clients got an audit and enforcement for $100K. In fact my clients’ PCI auditors cut their price in half when they saw the depth of data that could be captured in 24 hours.