MasterCard Requires QSA for Level 1 and 2 Merchants

MasterCard recently announced changes to their Site Data Protection program.  The updates now require Level 1 merchants and level 2 merchants to engage a Qualified Security Assessor (QSA) to validate compliance with the PCI DSS.  Additionally, MasterCard redefined the Service provider thresholds and levels to align with Visa.  Level 1 service providers are those that store, transmit, or process more than 300,000 MasterCard transactions/accounts per year and level 2 are those that handle less than 300,000.  

The main point on the Merchant changes are that now Level 1 merchants must use a QSA where before they were able to self assess.  Additionally, level 2 merchants are required to use a QSA where before they were allowed to completed a Self Assessment Questionnaire (SAQ).  These are major changes that are sure to have a significant impact within the industry.   

While I used to work at MasterCard and I like and respect the MasterCard team very much, I certainly question the rationale behind the changes.  If one looks at the 5 largest breaches in history (all since 2005), all five companies had been assessed or were in process of being assessed by a QSA.  3 of those companies were not even merchants and were instead processors (and acquirers) that had been validated for multiple years.  

This clearly appears to be a response to the increased attention that the PCI DSS is garnering in congress and in the public in general.  Many would likely agree that this is a troubling response.  According to the IDTheft Resource Center, Data Breaches increased over 47% from 2007-2008  in spite of the increased regulatory focus of state breach notification laws and the PCI DSS.  One has to question the value of requiring more merchants to engage QSAs when the anecdotal evidence suggests that the use of a QSA does not appreciably reduce the likelihood of a breach.  

When the latest breaches were announced of major processors, the prevailing position from the PCI stakeholders was that “compliance is different from validation”.  If this is indeed accurate than it appears that they are divorcing themselves from the value of validation.  Those companies, while having been validated by a QSA for over 4 years each, were immediately found ‘non compliant’ after the breach.  While I am not arguing whether they were or were not compliant, the fact remains that they had each been validated by the largest and most prominent QSA in the industry.  If they were not compliant, yet they were validated then logically we can say that either 1) the QSA did not do their job or 2) there is limited value in QSA validation.  Since the QSAs are responsible for such validation, if they were negligent than it is a further indictment of the value of QSA validation.  

I think most would agree that a third party validation of compliance with any standard has value.  The cost and business impact of such an assessment however needs to be weighed against the value it provides in terms of risk reduction.  Many level two merchants are in the position of competing against their larger level 1 competition.  Requiring them to spend hundreds of thousands, if not millions, of dollars on validation and remediation is difficult to rectify in todays environment and in the face of the anecdotal evidence.

This author suggests that pursuit of alternative methods of securing the payment card data (EMV, E2E, tokenization, advanced authentication technologies)coupled with increased education of the industry at large would be a better investment than stricter validation requirements on the merchants. To date, increasingly strict validation requirements has not resulted in a correlation to reduced data compromise.  If our goal is truly protecting data, then we should be evaluating solutions that directly reduce the likelihood of compromise or fraud.