Revisiting the PCI DSS Level 2 merchants considerations around SAQs

Recently, a merchant reached out regarding an unexpected ask from its acquiring institution. It is a Level 2 merchant (as defined below) that traditionally completed its own Self-Assessment Questionnaires for Payment Card Industry (PCI) compliance reporting. According to this merchant, the acquirer asked for an Attestation of Compliance (AOC) signed by a Qualified Security Assessor (QSA), not by a company officer. 

The request stemmed from a specific rule implemented by MasterCard in 2012, but has been largely remained unknown by the merchant community since. With the maturity of PCI standards and their requirements, we have noticed how acquirers are focusing beyond the big merchants (Level 1) and paying more attention on Level 2, 3 and 4 merchants, and may increase focus on requiring AOCs signed by a QSAs or an Internal Security Assessor (ISA).

The PCI Data Security Standard (DSS) is a set of requirements for securing payment card data that applies to merchants and service providers that store, process or transmit cardholder data. The DSS defines the technical and operational security requirements for these organizations, designed to prevent attacks aimed at stealing cardholder data. 

Merchants must complete an annual attestation of compliance with the DSS, and the PCI Security Standards Council (SSC) has published a variety of tools smaller merchants can use to assess their level of cardholder data security, most notably the SAQ.

The PCI SSC has published clear requirements for merchant PCI reporting that depend on the volume of payment card transactions processed each year. Larger merchants—often the top targets for criminals seeking to steal card data—have more formalized reporting requirements. Visa, MasterCard and Discover define Level 1 merchants as those processing over 6 million card transactions annually. These Level 1 merchants are expected to complete an annual Report on Compliance (ROC) with the assistance of a PCI SSC-approved QSA or PCI SSC-certified ISA and also submit its respective AOC form. 

Level 2 merchants—those that process between 1 million-6 million card transactions annually—have a few different options for reporting. Level 2 merchants have the option of foregoing a formal ROC and can complete the SAQ. Different questionnaires apply depending upon the payment channels accepted by the merchant—for example, e-commerce, in-person or standalone, dial-out terminals. Initially, merchants were able to complete and sign-off on the questionnaire without QSA or ISA assistance. 

However, in 2009, MasterCard introduced changes that required Level 2 merchants using an SAQ to perform the assessment with a QSA or ISA:

The deadline for enforcement was pushed back to June 30, 2012, but based on the ask that stemmed this article, some Level 2 merchants still do not conduct their annual PCI DSS assessments with the involvement of a QSA or ISA. It is important to note that other card brands do not have this same requirement as MasterCard, so the lack of consistency could be the source of confusion. However, due to this MasterCard requirement, Level 2 merchants should be prepared to perform their annual compliance assessment with the help of a trained ISA or QSA.

A PCI QSA is a third-party, independent organization that has been qualified by the PCI Security Standards Council to validate an entity’s adherence to the PCI DSS. An ISA, meanwhile, is an employee of a merchant or service provider—usually an internal security audit professional—who has undergone PCI DSS training and certification and maintained annual requalification requirements. Both QSAs and ISAs must complete an initial training at an in-person, instructor-led class. 

Both have qualification requirements for background experience in auditing and information security, including five years of relevant experience as well as industry-recognized professional certifications like CISSP or CISA. Both also have ongoing costs to maintain, in the form of annual continuing professional education requirements. The main difference between the two is that an ISA is an employee of the merchant or service provider, while the QSA is a third party that is hired for a limited time to perform the PCI DSS assessment. 

Many Level 2 merchants—those affected by the MasterCard requirement—may not have the internal audit staff available to complete and maintain an ISA certification. In addition, there is a risk that newly trained ISA staff are difficult to retain. Many merchants find that the limited engagement with a QSA firm is a more affordable and risk-averse choice for completing annual compliance requirements.

MasterCard’s unique requirement for Level 2 merchants means that organizations must be prepared to complete their SAQ and AOC with the assistance of a trained QSA or ISA. This is not a new requirement, but many acquirers are paying attention to the MasterCard requirement and could now enforce it. QSA firms present an effective solution for completing annual compliance activities without the costs, effort and risk of maintaining an internal ISA resource.