MasterCard Requires QSA for Level 1 and 2 Merchants
June 18th, 2009 by cmark Posted in PCI DSSMasterCard recently announced changes to their Site Data Protection program. The updates now require Level 1 merchants and level 2 merchants to engage a Qualified Security Assessor (QSA) to validate compliance with the PCI DSS. Additionally, MasterCard redefined the Service provider thresholds and levels to align with Visa. Level 1 service providers are those that store, transmit, or process more than 300,000 MasterCard transactions/accounts per year and level 2 are those that handle less than 300,000.
The main point on the Merchant changes are that now Level 1 merchants must use a QSA where before they were able to self assess. Additionally, level 2 merchants are required to use a QSA where before they were allowed to completed a Self Assessment Questionnaire (SAQ). These are major changes that are sure to have a significant impact within the industry.
While I used to work at MasterCard and I like and respect the MasterCard team very much, I certainly question the rationale behind the changes. If one looks at the 5 largest breaches in history (all since 2005), all five companies had been assessed or were in process of being assessed by a QSA. 3 of those companies were not even merchants and were instead processors (and acquirers) that had been validated for multiple years.
This clearly appears to be a response to the increased attention that the PCI DSS is garnering in congress and in the public in general. Many would likely agree that this is a troubling response. According to the IDTheft Resource Center, Data Breaches increased over 47% from 2007-2008 in spite of the increased regulatory focus of state breach notification laws and the PCI DSS. One has to question the value of requiring more merchants to engage QSAs when the anecdotal evidence suggests that the use of a QSA does not appreciably reduce the likelihood of a breach.
When the latest breaches were announced of major processors, the prevailing position from the PCI stakeholders was that “compliance is different from validation”. If this is indeed accurate than it appears that they are divorcing themselves from the value of validation. Those companies, while having been validated by a QSA for over 4 years each, were immediately found ‘non compliant’ after the breach. While I am not arguing whether they were or were not compliant, the fact remains that they had each been validated by the largest and most prominent QSA in the industry. If they were not compliant, yet they were validated then logically we can say that either 1) the QSA did not do their job or 2) there is limited value in QSA validation. Since the QSAs are responsible for such validation, if they were negligent than it is a further indictment of the value of QSA validation.
I think most would agree that a third party validation of compliance with any standard has value. The cost and business impact of such an assessment however needs to be weighed against the value it provides in terms of risk reduction. Many level two merchants are in the position of competing against their larger level 1 competition. Requiring them to spend hundreds of thousands, if not millions, of dollars on validation and remediation is difficult to rectify in todays environment and in the face of the anecdotal evidence.
This author suggests that pursuit of alternative methods of securing the payment card data (EMV, E2E, tokenization, advanced authentication technologies)coupled with increased education of the industry at large would be a better investment than stricter validation requirements on the merchants. To date, increasingly strict validation requirements has not resulted in a correlation to reduced data compromise. If our goal is truly protecting data, then we should be evaluating solutions that directly reduce the likelihood of compromise or fraud.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
16 Responses to “MasterCard Requires QSA for Level 1 and 2 Merchants”
By Chris on Jun 18, 2009
Chris,
Have you heard any indication that the other payment brands will follow suit to align the validation requirements with SDP?
In a situation where a Level 1 merchant uses one acquirer to accept Visa and MC payments is the likelihood going to be for that acquirer to require assessment by a QSA to satisfy both CISP and SDP? Or is this still going to be left up to the acquirers discretion?
By Anton Chuvakin on Jun 18, 2009
“To date, increasingly strict validation requirements has not resulted in a correlation to reduced data compromise.”
Do we have data to prove OR disprove this?
By cmark on Jun 18, 2009
Do you feel that the change is positive and appropriate?
By David on Jun 18, 2009
Based on average brand acceptance ratios (i.e. 3:1 Visa to MC) - I do not think this will have a big impact. Any merchant accepting that many MasterCard/Maestro is most likely already a Level 1 merchant on Visa’s scale.
By Chris on Jun 18, 2009
Level 1 merchant’s on Visa’s scale do not currently have to engage a QSA to perform the annual assessment but will now under the new SDP rules due to the reciprocity provisions.
–
I believe this change will only push the the compliance validation exercise into a “check-the-box” approach by QSAs who do not want to hear anything about risk to the data or mitigating factors.
By David on Jun 18, 2009
Yes Tier 1 Visa merchants ARE required to have a QSA perform the assessment - and I can assure you that acquirers are not signing on Tier 1 Merchants without having a ROC from a QSA. (see link below)
I think may QSAs out there are already doing the “check-the-box” assessments…and I agree; it will get worse.
http://usa.visa.com/merchants/risk_management/cisp_merchants.html
By Anton Chuvakin on Jun 18, 2009
>Do you feel that the change is positive and
>appropriate?
No, I really do feel just like what I said: that there is no data to point either way. I think establishing or disproving a link between PCI DSS controls and reduced fraud will be HUGE, if /when it is actually done.
This is just not a good domain to have an opinion of
- we need data.
By Anton Chuvakin on Jun 18, 2009
>may QSAs out there are already doing the
>“check-the-box” assessments…and I agree; it
>will get worse.
Surely you are not saying that it will be WORSE THAN SAQ?
By Chris on Jun 18, 2009
David,
From that page:
“Level 1 merchants should engage a Qualified Security Assessor to complete the Report on Compliance and provide the report to their acquirer. Alternatively, acquirers may elect to accept the Report on Compliance from a Level 1 merchant, provided that a letter signed by a merchant officer accompanies the report.”
Level 1’s are not required to use a QSA by Visa, only recommended. It is left up to the acquirer to determine if they are willing to accept a report or not. For existing merchants who have decided that a self assessment is the route for them, this will have a big impact.
By David on Jun 19, 2009
Chris - Sorry about that… I had no idea that a signed letter was still an option. I don’t know of an acquirer who would accept that either. Any idea what percentage of level 1 merchants are using a signed letter vs. a QSA ?
By cmark on Jun 19, 2009
Great comments and debate. Thanks to everyone for the insight and comments.
The info related to Level 1’s still being able to self assess is in a footnote under the graph. It is certainly not highlighted.
We have opportunity to work and speak with a large number of level 1 merchants. While many do elect to use QSAs for a variety of reasons,I would estimate that still around 20% of those I am familiar with use internal audit.
The level 2 reciprocity will change the landscape significantly.
By wconway on Jun 19, 2009
@cmark: Chris, upon reflection, I wonder if M/C’s move will really have much impact. From my experience, many/most L2 merchants already work with a QSA to get compliant and to help complete their SAQ.
Maybe it won’t be that big a leap if it is required. And BTW, if M/C requires it, it in effect becomes an industry requirement.
Any thoughts?
By ibuxton on Jun 19, 2009
wconway - I am not sure that simply using a QSA to help complete your SAQ will suffice. Branden Williams wrote in his blog that he seems to think that any L2 submissions after 12/31/2010 will need to be in the format of a ROC and not a SAQ (http://blogs.verisign.com/securityconvergence/). My guess is we will need to wait on MC for some addiitonal clarification. Has anyone heard anything else?
By DAG on Jun 19, 2009
There are interesting implications. Brand reciproicty means that all Level 2 merchants will be required to go this route. Mastercard’s change snagged the entire industry.
By Chris on Jun 20, 2009
I’ve worked with a number of Level 1’s and 2’s who have gone the QSA route in the past and prefer doing the self assessment. This is due to a number of factors including perceived lack of understanding of risk/environment by QSAs, complexity of environment, distributed heterogeneous nature of environment, etc. Typically these organizations have very strong IT Audit functions and are able to dedicate the resources necessary to perform the self-assessments.
@cmark, Are there any published studies which show percentages of Level 1/2’s which currently perform self-assessments? I think this would be the clearest indication in terms of numbers of who would be affected by the change.
By Tim Sills on Jun 23, 2009
I think this is going to cause confusion with the merchants much like it did when M/C originally came out with the SDP. I recall getting an early release from I think it was Stan Berlitz many years back and at the time we had to do 2 reports…one each for Visa and M/C.
While the requirements were similar, the deal killer was M/C’s requirement for an HSM for key storage which spun many customers up cause Visa did not require it. And the customers would carry on about how they’d just stop taking M/C, etc. I suspect I’m going to start hearing those comments all over again.
It was so nice to at least have everyone in step requirements wise when the council was formed…are we going to start seeing more fractured requirements from the card brands?