"This is a dramatic change from the current, industry wide requirement of self-assessing for merchants processing less than six million transactions annually," wrote Branden Williams, in his excellent Security Convergence Blog, which seems to have broken the story on Wednesday (June 17). The blog also reports that none of the other card brands—including Visa, the Uber Brand when it comes to PCI issues—have done the same.
There's no dispute that this is a significant move, but whether it will truly have any lasting—and meaningful—impact is unclear. That's because of a few issues, especially the confusing rules surrounding self-assessments.
It was late in 2007 when Visa started allowing Level 1s to self-assess. Even that was not so dramatic because it could only happen when there was agreement between the retailer's execs, the acquiring bank as well as the card brand. Heck, if a retailer can get agreement among all three of those groups, there's no PCI rule that can't be changed or waived. That's akin to saying that an American consumer can do something as long as the Senate, House, White House and Supreme Court signs off.
I am going out on a limb and say that any Level 2 retailer will still be able to self-assess, as long as the retailer can make a solid argument to the acquiring bank that they can handle the form and that they're passed assessments with flying colors many times. This also assumes that the brand has no objection.
Adding more confusion to this situation is that it's MasterCard doing it. Let's be candid. MasterCard, AmericanExpress, Diner's Club, JCB and the others are powerful brands (OK, maybe that's pushing it a bit with Diner's Club. You seen many around lately?). But as powerful as they are, it's Visa that calls the shots these days on PCI matters. If Visa doesn't make similar changes, not clear what will happen. What will the acquiring banks do?
That all said, it's unclear what is behind this. If MasterCard is not so much trying to be more stringent with Level 2s as it is trying to crack down on the extremely common inaccurate answers—based on misunderstood questions—coming from self-assessments. If this is the beginning of a campaign to eliminate self-assessments from all retailers in Levels 1, 2 and 3, that could prove very interesting.
If it is, though, that raises logistical issues. The most prominent such issue is "Where are all of these assessors going to come from?" Performing assessments has never been especially profitable, unless lots of related hardware and software sales are bundled. A flood of new assessors is likely to have the opposite of the intended impact. New assessors are likely to generate almost as many mistakes as the self-assessments they're supposed to replace.