Friday, June 26, 2009

Are You Sure MasterCard’s PCI Ruling Affects You?

If you’re a Level 2 retailer who has been dutifully completing your annual PCI self-assessments — quietly chuckling to yourself about the stricter rules facing Level 1 retailers — the joke’s now on you. And if you’re a Level 3 retailer, guess who might be next?

MasterCard has decided that all Level 2 merchants, those who process between 1 million and 6 million credit card transactions, must have on-site PCI validation assessments completed by December 31, 2010. Previously, Level 2 retailers, roughly 10,000 in the U.S., were only required to submit annual self-assessments. (Click here for MasterCard’s merchant level definitions.)

Level 2 retailers, who typically have between 50 to 250 locations, should start planning now in order to meet the December 31, 2010 deadline. “It will take six months to a year for a Level 2 retailer to implement this,” Retail Technology Experts president Mahendran Ramanathan told me.

However, retailers should also remember that the transactions are counted per each card brand. For example, if your company processes 2 million credit card transactions, you aren’t necessarily a Level 2 retailer. You may have 800,000 MasterCard transactions, 600,000 Visa transactions, and 600,000 American Express ones. In that case, you’re a Level 3 retailer and thus are not required to have an on-site validation assessment.

At least for now. “You can see the trajectory on this,” Reliant Security managing partner Mark Weiner told me. “Bit by bit, the card brands have been tightening the validation requirements. At some point, the validation requirements are going to dip lower and lower into the other levels.”