PCI Human Train Wreck Coming Next Year For Level 2s

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Many Level 2 merchants are just now realizing that their PCI world has changed. Under rules announced this summer, Level 2 MasterCard merchants—like their Level 1 brethren—will require an onsite assessment by a QSA starting in 2010. What’s the difference between self-assessing and an onsite review? Actually, there are 525 differences.

But what I worry about most is a fourth quarter 2010 PCI train wreck as the new rules collide with human frailty and the calendar. The result may be that even some Level 1 merchants and processors don’t get their assessments (and ROCs) completed on schedule.

MasterCard’s Double-Barreled Announcement.
This past summer, MasterCard announced that all “Level 2 merchants must complete an annual onsite assessment conducted by a PCI SSC certified Qualified Security Assessor (QSA) and must validate compliance by 31 December 2010.” It also announced that Level 1 merchants previously using their internal auditors to validate PCI compliance must now have a QSA conduct that assessment.

MasterCard made one clarification, albeit a bit delayed, which eases the impact for some merchants. It removed what I call the “reciprocity gotcha” from its guidelines that, in this case, said if you are classified as a Level 2 merchant by one brand, then you are a Level 2 for MasterCard--regardless of your volume. For example, if you had 1 million Visa transactions and 500,000 MasterCard transactions, you would be a Level 2 for Visa and either a Level 3 or Level 4 for MasterCard. Because you are a Level 2 for Visa, under the reciprocity gotcha, you are now a Level 2 for MasterCard as well. In the good old days of self-assessment, this classification didn’t mean much. But with MasterCard’s new rules, being Level 2 means a whole lot. The good news, at least for some merchants, is that MasterCard removed this reciprocity provision from its merchant level definitions.

525 Ways A ROC Is Not A SAQ.
When a merchant validates its compliance with a Self-Assessment Questionnaire (SAQ), it checks a box for each requirement, thereby indicating that the control is in place. Most merchants are conscientious and careful, assembling an internal team of business and technology staff to tackle the project.

An onsite assessment is different. The assessor will need to see hard evidence of the merchant’s compliance in practice. For example, an internal team may be tempted to say, “We have a firewall, so we can check that box.” An assessor, on the other hand, would need to see a network diagram and examine the firewall rule set before determining if it is properly configured to meet the intent of the PCI requirements.

The PCI Council shapes the assessor’s role through its Quality Assurance (QA) program, which was introduced this year. This program promotes, in the Council’s words, “certainty that Assessors approved by the PCI SSC provide quality services to merchants and service providers by adhering to the high standards set forth in signed agreements and validation requirements.” It is a good program, with benefits for merchants and the assessors and scanning vendors evaluated.

As part of its QA program, the PCI Council developed a scoring matrix to evaluate ROCs (Report On Compliance) submitted for review. QSAs, in turn, use the matrix to guide their onsite work. The matrix stipulates how QSAs should validate each PCI requirement, including observation, written documentation or interviewing the merchant’s staff. Here are two examples: For Requirement 3.2.1 (Do not store the contents of the mag stripe.), the matrix specifies seven sets of logs and databases to be sampled, examined and documented; for Requirement 5.2 (Ensure antivirus mechanisms can generate audit logs.), it specifies five separate actions, including documentation review, observations and a description of how the sample was drawn.

In total, there are 525 items specified in the scoring matrix and, believe me, your QSA will follow all of them. Failing to do so can mean that the QSA firm enters remediation (its name goes red on the PCI Council’s Web site) and, in extreme cases, that the firm may have its status revoked by the Council.The Polar Express Train Wreck.
According to Visa, there are nearly 900 Level 2 merchants today. Let’s say only half of them will also be Level 2 for MasterCard (per my example, above), based on their actual transaction volume. That translates to about 450 new merchants that need an onsite assessment. Currently, there are only 352 Level 1 merchants (again, per Visa), which means 2010 will see an increase of over 125 percent in the number of merchants needing an assessment. How will we deal with this extra demand? Although the Council is training QSAs, I don’t think the number has increased by anywhere near 125 percent.

It’s not just the demand; it’s also timing. My guess is that few Level 2 merchants will move before mid-year. There is no benefit to delaying (PCI compliance is renewed annually, so it should make no economic difference whether you do it in the beginning of the year or at the end). But I try not to bet against human nature and the desire to delay the unpleasant. Now let’s factor in time for vendor selection and assessment preparation (remember the assessor’s matrix and all the required documentation), and the fact that first-time assessments can take longer and involve more remediation. The result may be a major train wreck in the fourth quarter of 2010 as an unusually large number of merchants and their QSAs scramble to document compliance. And, of course, this clamor happens just in time for the holidays.

In this scenario, some Level 1 merchants will suffer collateral damage. The number of new clients will stretch their QSAs, and seemingly minor remediation issues may lead to delays in Level 1 merchants’ own ROCs. One last kicker: Because PCI validation is annual, this fourth quarter crunch is perpetuated.

The Law of Unintended Consequences holds that no good act goes unpunished. MasterCard wants Level 2 merchants to have an onsite assessment. The PCI Council wants to monitor the quality of QSAs’ work. Each organization thinks it is doing the right thing. But when we combine these requirements with human nature and the calendar, we are headed into a 2010 year-end situation that may be painful for merchants and QSAs alike.

Will acquirers cut their merchants and processors some slack if things get tight? Will enough Level 2 merchants plan ahead and validate early? Will some Level 1 merchants with fourth quarter renewals (shock!) validate early and avoid the crush?

I’d like to know what you think. If you are a Level 2 merchant, what are your plans for your first assessment? Are you a Level 1 with a fourth quarter renewal? Do you disagree with my scenario? Please let me know. Leave a comment or send me an E-mail: [email protected].