NO TIME TO READ NOW?
Download your free eBook now so you can read later when you have more time!
by Natasja Bolton, QSA, CISSP [17.34, 10/01/2019]
Becoming a Level 2 or Level 1 merchant
Most businesses, that accept branded cards for purchase of goods or services (merchant businesses) today, are already familiar with the annual process of accessing their acquiring bank’s compliance management portal to self-assess their compliance with the Payment Card Industry Data Security Standard (PCI DSS). This is the assessment of PCI DSS compliance procedure required of them as a Level 4 or Level 3 merchant by their acquiring bank.
While many of those merchant businesses will be aware that any organisation which processes, stores or transmits cardholder data is required to comply with the PCI DSS, they may not be aware of the payment card brands’ PCI DSS compliance programmes that underlie the acquiring banks’ management of their merchant compliance. Those payment card brand PCI DSS compliance programmes set-out for the acquiring banks not only their obligation to require annual compliance validation from their merchant customers but also the compliance reporting requirements for different categories (or levels) of merchant.
Merchant businesses, whose increasing annual payment card transaction volumes trigger a change in their merchant level to Level 2 or Level 1, may therefore be surprised to be told by their acquirer that their new merchant level also comes with different PCI DSS compliance validation and reporting requirements. To help merchants to understand the reasons behind and implications of their change in merchant level it is worth examining PCI DSS compliance responsibilities and compliance validation.
Becoming a Level 2 or Level 1 merchant
PCI DSS compliance roles and responsibilities are illustrated below:
Compliance is not a legal requirement; it is the responsibility of all entities involved in payment card processing, be they merchants, processors, acquirers, issuers, and/or service providers.
The obligation to comply is often driven by contractual agreements between entities – for example between payment card brands and their members (acquiring banks), between a merchant and their acquiring bank. All acquiring banks are required by the payment card brands’ operating regulations to ensure their merchants comply with the PCI DSS.
In addition to the requirement for entities to comply with the PCI DSS, to ensure the protection of the account data they store, process or transmit, some entities may also be required to validate their compliance.
Compliance validation involves the entity verifying and demonstrating their compliant status against the PCI DSS requirements.
In the case of merchants, compliance validation involves providing the required compliance reporting to their acquiring bank (or equivalent). The requirement for an entity to validate their PCI DSS compliance is entirely separate from the obligation to comply with the requirements of the PCI DSS.
Each payment card brand has developed and maintains their own PCI DSS compliance programme. These compliance programmes define each brand’s annual PCI DSS compliance validation and reporting procedures for merchants and service providers.
- Mastercard Site Data Protection (SDP) Program: https://www.mastercard.us/en-us/merchants/safety-security/security-recommendations/site-data-protection-PCI.html
- Visa Cardholder Information Security Program (CISP) or Account Information Security program (AISP): https://usa.visa.com/partner-with-us/pci-dss-compliance-information.html
- American Express: https://www.americanexpress.com/uk/merchant/support/data-security/information.html (UK); https://merchant-channel.americanexpress.com/merchant/en_US/data-security?linknav=US-oneAmex-axpSearchResults-1&searchresult=data%20security (US)
- Discover Information Security & Compliance (DISC) Program: https://www.discovernetwork.com/en-us/business-resources/fraud-security/pci-rules-regulations/discover-information-security-compliance
- JCB Data Security Program: https://www.global.jcb/en/products/security/data-security-program/index.html
The acquiring banks are required to enforce the PCI DSS compliance programme requirements of each payment card brand (of which they are a member). The programmes define categories (levels) of merchant and service provider. It is the merchant’s or service provider’s level that determines their PCI DSS compliance validation and reporting requirements.
In summary, the payment card brands’ merchant levels and associated compliance validation and reporting requirements are:
As can be seen from the table above, the compliance validation tool for merchants at Levels 4 and 3 is the Self-Assessment Questionnaire (SAQ), supported by external network scan results completed by an Approved Scanning Vendor (ASV) (if applicable). Compliance is reported through completion of the associated Attestation of Compliance (AOC). There are eight merchant SAQ categories (A, A-EP, B, B-IP, C, C-VT, P2PE and D) the selection of which depends on how the merchant accepts and processes payment cards.
As a Level 4 or 3 merchant, you may be familiar with self-assessing your merchant payment processing activities through your acquiring bank’s compliance management portal. The online portal takes you through the process of determining the applicable SAQ by asking a series of ‘profiling’ questions, provides access to the ASV scan management tool (if the selected SAQ requires external network scans) and presents the SAQ as an online questionnaire for you to complete. Once you have successfully completed the online SAQ, you are able to attest to your compliance with the PCI DSS; the online equivalent of signing the AOC.
Compliance validation and reporting differences for Level 2 and Level 1 merchants
Merchant level is determined by your acquiring bank. Your acquiring bank will notify you when your transaction volumes exceed the limits for classification as a Level 4 or Level 3 merchant.
Level 2 merchants
In most cases, once a merchant reaches Level 2 they are no longer be eligible to complete their compliance assessment through the acquirer’s online compliance management portal. The process of scoping the PCI DSS assessment, identifying the SAQ(s) applicable to the merchant’s card payment processing, completing the compliance assessment and the required validation reporting documents (the AOC) becomes the merchant’s responsibility.
Level 2 merchants are still eligible to self-assess their compliance using the appropriate SAQ(s). So, at its simplest, becoming a Level 2 merchant from Level 4 or 3 may have little impact – if you completed an SAQ B-IP for compliance assessment previously, it is likely that the same SAQ will apply now that you are a Level 2.
However, due to the significant volume of transactions and therefore the potential impact, in terms of the volume of compromised cards in the event of a breach, Mastercard requires additional assurance from Level 2 merchants. Mastercard specifies additional requirements to help ensure that the merchant’s compliance assessment has been scoped accurately and that the self-assessment has been completed correctly.
Be aware that Mastercard considers a merchant to be Level 2, not only on the basis of the volume of Mastercard and Maestro transactions a merchant processes annually but also if Visa considers the merchant to be a Level 2 (if the merchant processes 1 to 6 million Visa transactions annually, across all payment channels).
Mastercard gains that additional assurance in the compliance of Level 2 merchants by requiring that the staff member engaged in the merchant’s self-assessment (i.e. the person assessing the merchant’s compliance and completing the SAQ) is accredited as a PCI Internal Security Assessor (ISA). An ISA is an employee of the merchant that has completed this PCI training and passed the associated exam: https://www.pcisecuritystandards.org/training/isa_training.php Qualified ISAs are listed on the PCI Security Standards Council’s website (https://www.pcisecuritystandards.org/assessors_and_solutions/internal_security_assessors) and must re-qualify annually. If the ISA completes a passing SAQ, then the ISA must also complete Part 3d in the merchant’s Attestation of Compliance (AOC), formally stating the ISA’s role in performing the self-assessment of compliance.
Mastercard also gives Level 2 merchants the option of engaging a PCI Qualified Security Assessor (QSA) to complete an on-site formal assessment of compliance instead of completing the self-assessment. For merchants that do not have their own ISA and do not want the expense of putting an employee through the annual ISA training and exam, this can be a useful option.
It is worth noting, that some acquiring banks offer another compliance validation option for merchants that do not have their own ISA. This option involves the merchant engaging a QSA to carry out their self-assessment of compliance. The QSA performs the testing procedures required for each PCI DSS requirement in the applicable SAQ. For a passing, compliant assessment the QSA will then complete Part 3c. ‘Qualified Security Assessor (QSA) Acknowledgement’ in the merchant’s AOC; the QSA will not produce a Report on Compliance (ROC). This option allows the merchant to save on the annual cost of maintaining their own PCI qualified ISA and some of the costs of a QSA-led formal assessment as there is no ROC documented by the QSA. Before taking this compliance approach, level 2 merchants should confirm with each of their acquirers whether a QSA completed self-assessment will be accepted for their level 2 compliance validation and reporting.
Preparing for Level 1 compliance validation
Undertaking a QSA-led formal assessment of compliance can be a valuable preparatory step for Level 2 merchants on the cusp of reaching Level 1 status. An on-site assessment includes the QSA’s validation of the merchant’s cardholder data environment and confirmation of the accuracy of their assessment scope, as well as the QSA performing the required testing procedures for each applicable PCI DSS requirement.
By carrying out the on-site assessment, the Level 2 merchant gains a deeper understanding of how the PCI DSS applies to their payment process activities and cardholder data environment and the confidence that when they become a Level 1, when formal assessment and a ROC is the required PCI DSS compliance validation procedure, they will be able to maintain their PCI DSS compliance with no gaps in their compliant status.
It is not unusual for merchants that only engage with a QSA at the point they reach Level 1 status to find that they are not as compliant as they thought. For example, in validating the merchant’s assessment scope, the QSA may find that the merchant had incorrectly defined their cardholder data environment, excluding networks or systems from assessment scope due to misunderstanding or oversight.
In completing the PCI DSS testing procedures, which require the assessing QSA to gather evidence of compliance by reviewing documentation, observing system configurations and settings, interviewing personnel and sampling systems and locations etc., it may be found that the merchant had mis-interpreted the intent of a
PCI DSS requirement or not fully fulfilled its objective. This can mean that to achieve compliance as a Level 1, the merchant needs to put in significant remediation effort or to make changes to their environment to achieve their desired assessment scope. Indeed, on reaching Level 1, some merchants ‘fall out’ of PCI DSS compliance because they are unable to pass the formal assessment on the first attempt.
Level 1 merchants
Level 1 merchants are those processing over 6 million Visa, Mastercard or Discover transactions annually, over 2.5 million American Express transactions or over 1 million JCB transactions. Level 1 merchants are required to undergo a formal assessment of compliance with the completion of a ROC and the Attestation of Compliance for Onsite Assessments (https://www.pcisecuritystandards.org/documents/PCI-DSS-v3_2_1-AOC-Merchant.docx). The QSA-led on-site assessment includes assessment scope validation and the completion of all required PCI DSS testing procedures.
Note that it may be possible for the assessing QSA to use SAQ eligibility criteria to determine the applicability of PCI DSS requirements for the formal on-site assessment. This may mean that a previously self-assessing merchant meeting the eligibility criteria for the SAQ A, SAQ P2PE, SAQ C-VT, etc. may be able to achieve compliance as a Level 1 through on-site assessment of the PCI DSS requirements set out in the applicable SAQ.
See PCI SSC FAQ 1331 for more details of this approach. This FAQ explains that, with the agreement of their acquiring bank, merchants with environments that fully meet all the eligibility criteria defined in a particular SAQ may use that SAQ as a reference to identify the applicable PCI DSS requirements for that environment.
In most cases, a Level 1 merchant will engage a QSA to perform the compliance assessment. QSA companies are listed by the PCI SSC here: https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors
The assessing QSA is required to document the results of the merchant assessment using the PCI approved Report on Compliance (ROC) template. The current PCI DSS v3.2.1 version of the ROC template can be found here: https://www.pcisecuritystandards.org/documents/PCI-DSS-v3_2_1-ROC-Reporting-Template.pdf. Use of the ROC template is mandatory and helps to ensure a consistent level of reporting by QSAs. The QSA is not permitted to add or amend the structure, formatting or content of the ROC template – they must only complete the tables and add content to ROC sections as required to report the merchant’s compliance.
Both the Mastercard and Visa PCI DSS compliance programmes allow Level 1 merchants to conduct their annual on-site assessment using an internal auditor. Visa permits this if the ROC is signed by an officer of the company while recommending that the auditor is also a certified ISA. Mastercard however requires that the primary internal auditor staff, validating the Level 1 merchant’s compliance, is a certified ISA.
Exemptions, waivers and alternative validation options
As a final note, please also review the individual payment card brands’ compliance programmes and engage with your acquiring bank to see whether you may apply for, or your payment processing qualifies for, any of the available PCI compliance exemptions, waivers or alternative validation options.
For example, merchants meeting certain specific criteria, such as those processing at least 75% of transactions via EMV-enabled chip card terminals or those that have deployed a validated point-to-point encryption solution, may receive a PCI waiver or may not be required to validate compliance.
If you are a merchant that requires technical or PCI DSS help, please click here