Call Us Today! 636-557-7777  |  Get started now! |       STAY RESILIENT®

Level 2 Merchants Watch Out: Avoid Receiving a Letter from Your Acquiring Bank

This News Alert came out last year – “New MasterCard Site Data Protection rules take effect on June 30, 2012 catching many Level 2 merchants unprepared.”

Call this old news.  Regardless, Level 2 merchants are still catching up.  Elaborating on the news alert, here is the explanation.

“Effective 30 June 2012, Level 2 merchants must ensure that staff engaged in the self-assessment attend the PCI SSC ISA Program and pass the associated accreditation examination annually to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC-approved Qualified Security Assessor (QSA).”

“As of June 30, however, MasterCard began stipulating that all Level 2 merchants utilize a PCI security expert to both assess and validate their PCI DSS compliance. This change is a departure from the other major card brand (Visa, AMEX, Discover and JBC) validation requirements; up until this change, each card brand’s guidelines regarding merchant levels and validation type had been very similar.”

What does this all mean for Level 2 merchants?
The focus in 2013 has shifted drastically from Level 1 to Level 2 for compliance requirements and assessment. The risk is higher than before and if you have not completely addressed the gaps in your network environment, you should do so quickly.  One acquiring bank has clearly announced its plans and others will follow suit.  Card banks such as Visa and Master Card are approaching the merchants directly.  American Express is also sending out letters directly to merchants for their Data Security Operating Policy. (DSOP) Simultaneously, the merchant’s acquiring banks are made aware of this.

Level 2 Merchants: What should be your next steps?

  • First of all assess your merchant level correctly.
  • Quickly plan a course of action before the acquiring banks knock on your doors and set a deadline that might be impossible to meet without planned preparation.
  • Decide if you can manage a self-assessment or use a third-party QSA firm.

If self-assessment is the path you opt,

  • Start by assigning an employee who already possesses significant relevant security audit and assessment experience and has a deep understanding of data security to handle this project.
  • Pre-requisites might have to be met before the person can qualify for the Internal Security Auditor (ISA) training ISA training.
  • The personnel should understand that it is not a one-time training.  They would need to constantly review their knowledge, take tests and will be assessed on their skills and qualifications at least annually to continue their role as an ISA.
  • Use certified personnel to complete the self-assessment questionnaire. (SAQ)

If third-party Qualified Security Assessor is the next course of action,

  • Start with a gap assessment as soon as possible.
  • Note that systematically addressing gaps will take at least 6 months if not more to get to full compliance.
  • Addressing gaps prior to bringing in a QSA has typically shown higher rates of success and lower costs.
  • Use a Security Strategist’s help to complete the SAQ.

Note: Filling out an SAQ does not mean they match up with the requirements of PCI Data Security Standard (PCI DSS) controls. However, take every required step to close the gaps and control the deficiencies. You may not know what deficiencies are still lingering unless there is a forensics investigation after a breach when these deficiencies show up.  A sincere effort to have everything in place is the best way to address gaps.

View SAQ D Attestation of Compliance Form

Why Choose Omega?
Omega ATC understands the intricacies that lie within all the requirements that Level 2 merchants need to address.  We have dealt with most likely scenarios within a Level 2 merchant’s environment such as,

  1. Working with breach situations
  2. Working under tight deadlines to help the customer meet the PCI DSS requirements
  3. Preparing the customer for an audit
  4. Engaging our Security Strategist to address each and every one of the 286+ controls of an SAQ D
  5. Managing the entire project start to finish
  6. Applying the right technology for the end result
  7. And last but not least, working with POS and back office vendors to make it all happen.

Act Now
The deadline is here and now; there is too much to be done before a QSA comes in for an audit.  If you have not been already notified by your acquiring bank, you will soon be. Getting to compliance might seem overwhelming, but Omega is here to help you every step of the way.  Call us at 636-557-777.  Visit