MasterCard Blinks, Drops Dec. 31 Level 2 PCI Deadline

MasterCard has quietly backed off from a much-complained-about plan to require Level 2 merchants to—for the first time—have an onsite QSA assessment completed by the end of 2010. Having a New Year's Eve deadline—on the heels of the all-encompassing holiday season—was a recipe for tons of missed deadlines.

The first MasterCard change made this month was pushing the Dec. 31, 2010, deadline back six months, to June 30, 2011. But MasterCard has also made two other key PCI changes. It has redefined what Level a retailer is (Level 1, 2, 3 or 4) to explicitly mirror whatever level Visa has determined. (The language used to say "competing brand.") The last of the changes is to allow Level 1 and Level 2 retailers to perform their own assessments—using the retailer's own salaried audit staff—as long as those audit staffers have passed PCI-approved training courses.

Update To This Story: MasterCard Clarifies Its Thinking

Walt Conway, a QSA for 403 Labs who also writes StorefrontBacktalk's weekly PCI column, applauded the MasterCard move, but said the change isn't entirely good news for retailers. That's because the agreement to mirror whatever Level Visa has assigned will likely promote many chains that simply had far more Visa transactions than MasterCard transactions. Because Visa generally treats Level 2s less strictly than does MasterCard, these promotions may not be universally welcomed.

"A bunch of Level 3 and Level 4 merchants just became Level 2s," Conway said. "With this reciprocity gotcha, MasterCard giveth and MasterCard taketh away."

One advantage to the change is simple cost-savings, as training the existing audit staffers will almost certainly cost a lot less than paying for an outside QSA.

"We heard at the PCI Community Meeting that the Council was working on a certification program for merchant staff that would be modeled on the current QSA training," Conway said. "It appears the training (and certification) will be in place by next year, and MasterCard is reflecting this development in its PCI validation requirements."