Society of Payment Security Professionals - Payment Security Blog

150 Transactions + 1 = QSA assessment: End of Level 4 Merchants

The Society of Payment Security Professionals accepted our first JCB transaction this weekend. I should be happy but instead I am dismayed. I am not upset because we accepted a JCB transaction. I am upset that while we accept less than 750 total payment card transactions per year (less than 150 MasterCard) we are now required under the card brand rules to engage a QSA for an onsite assessment. For my 150 MasterCard transactions, I can now expect to pay $10,000 or more for a QSA to validate the Society’s compliance.

How did this happen?

With MasterCard’s recently announced changes to their merchant validation program there was another change that was overlooked by many, including this author. In addition to now requiring all level 1 and 2 merchants to undergo an onsite assessment by a QSA, MasterCard also changed their level 2 and 3 categories by now defining those levels as merchants that meet the threshold as well as those identified by another card brand as a level 2 or 3 merchant.

While this may not seem like a significant change, a review of the other card brand’s programs demonstrates that this will effectively remove the level 4 merchant level for many, if not most merchants.

MasterCard, Visa, and Discover each have 4 levels of merchants and their thresholds are identical. American Express however, only has 3 merchant levels and JCB only has 2 merchant levels. This means that if I accept 1 MasterCard transaction, I am classified by MasterCard as a level 4 merchant. MasterCard does not require PCI DSS validation for level 4 merchants. If I also accept a single American Express transaction, I am now classified by American Express as a level 3 merchant. American express does not require PCI DSS validation of level 3 merchants. My company would however, now be classified as a MasterCard level 3 merchant due to MasterCard’s reciprocity rules. This would require completion of a Self Assessment Questionnaire (SAQ) and validation scan.

If my company then accepts a single JCB transaction, my company would be classified as a JCB level 2 merchant. JCB does not require validation of their bottom tier merchants (level 2) however my company would now be considered by MasterCard as a level 2 merchant (through reciprocity) and would be required to engage a QSA for an onsite assessment. Strictly following the rules a company could accept a single transaction from MasterCard and JCB and would be required by MasterCard to engage a QSA to complete an onsite assessment.

Conversely, if I am a merchant that accepts 1,000,000 Visa transactions per year exclusively, I would be classified as a Visa Level 2 merchant. This would require validation through an SAQ and validation scan through an ASV. The moment I accept a single MasterCard transaction, I would be required, under the strict interpretation of the rules, to engage a QSA for an onsite assessment. In this scenario a single transaction is causing my company to spend tens of thousands of dollars more on validation.

The intent of the MasterCard update is clear and is laudable. The impact, however is troubling for many merchants. In this situation, I would be better served to quit accepting JCB transactions than increase my compliance costs and headaches exponentially. (as a note, I don’t really know if we accepted a JCB transaction. This was included only for discussion purposes)