Recently, Brandon Williams alerted many of us that MasterCard Worldwide adjusted its validation criteria for Level 2 merchants. Both Visa and MasterCard, the industry leaders in global market share for locations payment-cards are accepted, had a validation criteria that matched this:
- Level 1 Merchants must validate using an external Qualified Security Assessor (QSA)*
- Level 2-3 Merchants must validate using an internal Self-Assessment Questionnaire (SAQ)
- Level 4 Merchants have no validation criteria at this time (though they must still comply like all other levels)
(* The well trained eye will counter that Visa permits L1 Merchants to self-assess but this was only with permission from the Acquiring bank and has been removed from the Visa website.)
Recently, MasterCard changed their validation criteria to reflect a stricter stance on the matter. They noted that “All Level 1 and Level 2 merchants must use a PCI SSC certified Qualified Security Assessor for an onsite assessment.” Since most merchants that accept MasterCard also accept Visa, one can assume that (almost) all Level 2 Merchants must hire an external QSA.
The number of Level 1-4 merchants varies and there’s no real numbers that I know of that can peg the market precisely, as merchants are always growing and changing. That being said, it is generally assumed to have the following break down (within the United States only)
- Level 1: 300-500
- Level 2: 1,500-2,000
- Level 3: 3,000-5,000
- Level 4: 4.7-4.8m
(The numbers are entirely different for other global regions such as Europe, South America, Canada, Asia, etc.)
If we look at these numbers one can assume that currently 300-500 merchants are required to engage an external QSA annually to perform their PCI DSS audit. If we group Level 2 merchants into this fold we would have 2,000-2,500 merchants annually that require this level of scrutiny.
Or as Anton Chuvakin put it, “Obviously, awesome news for security!Now folks who are hell-bent on not having any concerns for customer data will need to deceive an actual live QSA rather than simply lie on their SAQ…”
If we assume that many Level 2 merchants are already engaging QSAs to assist them on their projects, we still see a market size increase of anywhere from 2-4 times for the QSAs.
I’d generally agree with Anton, and Branden Williams who says, “Level 2 merchants are extremely significant in size, many of which being household names. Unfortunately, PCI self-assessments are typically poorly handled simply due to the complexity of the standard and lack of training provided to those individuals performing the assessment.”
Sure the number of QSA companies is increasing, but I’m actually more concerned about the currently overworked assessors having their workload added to. Martin McKeay notes the following: “I’m hoping that the quality of the assessors doesn’t fall because of the huge influx of QSA’s we’re needing to handle the work”
I will continue to push for a higher quality of work within the industry. I know there are a number of people out there who are doing some very quality work, but I want to take this chance to push for higher quality, not higher levels of security.
In a recent presentation from Peter Tippet of Verizon Business (ICSA Labs), he talked about the different between aiming for perfect security and better “synergistic” security. Instead of trying to make a seat belt 3% better for 300% of the cost, we add airbags to a car that makes it 40% safer for only 10% additional cost. Let’s start thinking smarter not harder.
If the QSA sector grows massively, we’re going to need to see some audit type regulation being put in place by the PCI and payment brands. I think the fact that a QSA can implement and audit their work right now and that won’t influence their attestation is a Enron like problem. Internal audit departments on the other hand are good at dealing with this stuff, and frankly could use some upskilling. I think the PCI should be pushing QSA training for Internal Audit out instead of ‘bullying’ merchants to hire in external people, or if they are hell bent on using externals, then lower the unlimited liability clause to allow external audit to do it. I think the payment brands are reinventing the wheel.
#Disclosure, I work for an auditing house, but not as an auditor.
I think one of the most forgotten items is that Level 2-4 merchants can validate with the Self-Assessment Questionnaire and Level 1 merchants can request their bank let them self-assess. If you have the skills internally then ask to use them.
That being said, I think there are a number of skilled professionals out there that can provide a *huge* benefit in assisting the audit process. I’ve been involved on PCI DSS audits driven by the Internal Audit team of a company and it was checklist based. That does not happen everywhere, but you really want these internal auditors trained as well.
I agree with what you’ve said, but it feels like the PCI is pushing the other way, for external QSA’s and Internal Audit isn’t ideal. If that is the case, and if the Mastercard change will drive more QSA work (I also think MC wants a QSA at some point if you use IA anyway), then they need to address the independence issue, which is my main point.
Here’s the interesting thing. I feel that the MasterCard change, along with other conversations in the industry, are going to push merchants towards adopting end-to-end encryption and other scope reduction measures faster than they would normally.
I’ll argue that the MasterCard change *could* increase the work for QSAs or it *could* drive people to reduce the amount of data they accept and retain.
The PCI Answers blog has a list of companies that currently offer end-to-end encryption options. Though, I’m not sure if they do so in South Africa yet. 😉