Recently, Brandon Williams alerted many of us that MasterCard Worldwide adjusted its validation criteria for Level 2 merchants.  Both Visa and MasterCard, the industry leaders in global market share for locations payment-cards are accepted, had a validation criteria that matched this:

  • Level 1 Merchants must validate using an external Qualified Security Assessor (QSA)*
  • Level 2-3 Merchants must validate using an internal Self-Assessment Questionnaire (SAQ)
  • Level 4 Merchants have no validation criteria at this time (though they must still comply like all other levels)

(* The well trained eye will counter that Visa permits L1 Merchants to self-assess but this was only with permission from the Acquiring bank and has been removed from the Visa website.)

Recently, MasterCard changed their validation criteria to reflect a stricter stance on the matter.  They noted that “All Level 1 and Level 2 merchants must use a PCI SSC certified Qualified Security Assessor for an onsite assessment.” Since most merchants that accept MasterCard also accept Visa, one can assume that (almost) all Level 2 Merchants must hire an external QSA.

The number of Level 1-4 merchants varies and there’s no real numbers that I know of that can peg the market precisely, as merchants are always growing and changing.  That being said, it is generally assumed to have the following break down (within the United States only)

  • Level 1: 300-500
  • Level 2: 1,500-2,000
  • Level 3: 3,000-5,000
  • Level 4: 4.7-4.8m

(The numbers are entirely different for other global regions such as Europe, South America, Canada, Asia, etc.)

If we look at these numbers one can assume that currently 300-500 merchants are required to engage an external QSA annually to perform their PCI DSS audit.  If we group Level 2 merchants into this fold we would have 2,000-2,500 merchants annually that require this level of scrutiny.

Or as Anton Chuvakin put it, “Obviously, awesome news for security!Now folks who are hell-bent on not having any concerns for customer data will need to deceive an actual live QSA rather than simply lie on their SAQ…”

If we assume that many Level 2 merchants are already engaging QSAs to assist them on their projects, we still see a market size increase of anywhere from 2-4 times for the QSAs.

I’d generally agree with Anton, and Branden Williams who says, “Level 2 merchants are extremely significant in size, many of which being household names. Unfortunately, PCI self-assessments are typically poorly handled simply due to the complexity of the standard and lack of training provided to those individuals performing the assessment.”

Sure the number of QSA companies is increasing, but I’m actually more concerned about the currently overworked assessors having their workload added to.  Martin McKeay notes the following: “I’m hoping that the quality of the assessors doesn’t fall because of the huge influx of QSA’s we’re needing to handle the work”

I will continue to push for a higher quality of work within the industry.  I know there are a number of people out there who are doing some very quality work, but I want to take this chance to push for higher quality, not higher levels of security.

In a recent presentation from Peter Tippet of Verizon Business (ICSA Labs), he talked about the different between aiming for perfect security and better “synergistic” security.  Instead of trying to make a seat belt 3% better for 300% of the cost, we add airbags to a car that makes it 40% safer for only 10% additional cost.  Let’s start thinking smarter not harder.