(December 23, 2009) MasterCard Inc. is changing a controversial policy, and pushing back a deadline, that it announced only six months ago regarding enforcement of the Payment Card Industry data-security standard. With the changes, which involve assessing computer systems for PCI compliance, MasterCard could be viewed as responding to valid complaints after first disclosing the planned changes, or it could be viewed has having done a flip-flop. Or both at the same time.

In June, MasterCard adopted a new policy governing whether big merchants can do so-called self-assessments of their PCI compliance. The new policy applied to so-called Level 2 merchants, those submitting 1 million to 6 million total MasterCard and Maestro (PIN-debit) transactions annually, and Level 1 merchants, those submitting more than 6 million transactions. MasterCard previously had let Level 2 merchants to do annual self-assessments for PCI compliance unless they brought in a Qualified Security Assessor (QSA) certified by the PCI Security Standards Council for an on-site assessment. But come Dec. 31, 2010, MasterCard planned to require that all Level 1 and, for the first time, Level 2 merchants, use a QSA for the annual on-site PCI assessment.

That policy generated many complaints from Level 2 merchants, who security experts say would have to pay anywhere from $100,000 to $1 million for a QSA’s services. MasterCard’s policy also diverged from Visa Inc.’s, which lets Level 2 merchants do self-assessments. Many observers also wondered whether there were enough QSAs to go around to handle all the new work from Level 2s.

This month, however, MasterCard pushed back the deadline by six months, to June 30, 2011. And instead of requiring use of a QSA, MasterCard will let Level 2 merchants do the assessments themselves provided they have staff attend merchant-training courses offered by the PCI Council, and each year pass a PCI Council accreditation program. Level 2 merchants are free to use QSAs if they wish. Come June 30, 2011, Level 1 merchants can use an internal auditor provided the audit staff has PCI Council training and annual accreditation.

MasterCard also said its definitions of merchant levels now match Visa’s, so, for example, if a merchant is a Level 2 merchant in Visa’s eyes, it’s also one in MasterCard’s eyes. The upside of that is more uniformity for merchants trying to please four or five (if JCB is counted) payment networks that separately enforce the one set of PCI rules. But with Visa being the largest card network and MasterCard No. 2, some merchants could be pulled up a level, possibly increasing their PCI compliance costs. While the basic rules are the same for all merchants, compliance generally is more complex and expensive for the bigger ones—Levels 1 and 2—than Level 3 and Level 4 merchants, the last being the smallest. (Visa reports that as of Sept. 30, the U.S. had an estimated 895 Level 2 merchants that accounted for 13% of Visa transactions. Visa estimated the Level 1 population at 352 merchants generating 50% of all Visa transactions.)

MasterCard provided only brief e-mailed responses to Digital Transactions News questions. “MasterCard’s changes to on-site assessment requirements for Level 2 merchants were made to infuse additional quality and consistency in the Level 2 merchant’s self assessment by ensuring that those employees who perform the assessment are properly trained in the PCI DSS,” a spokesperson says. MasterCard says it is working with the PCI Council “to expand its training and accreditation to the merchant community.” The Council in September announced plans to establish an internal-assessor program for merchants in 2010, according to MasterCard.

Security experts had both praise and criticisms of MasterCard’s latest changes. “This is kind of good news for merchants,” says Avivah Litan, a technology analyst with Stamford, Conn.-based Gartner Inc. “I had expected MasterCard to retrench on this [the June changes] because No. 1, they were out of sync with Visa.” She adds that there were questions about whether there were enough QSAs to meet the new demand from Level 2 merchants. What’s more, she says, QSA pricing varies widely and the quality of their work reflects that. “It’s very uneven.”

Branden Williams, director in the security consulting practice at Hopkinton, Mass.-based EMC Corp.’s RSA subsidiary, says he likes the fact that MasterCard has made its PCI enforcement policies similar for Level 1 and Level 2 merchants. But in a blog posting, he said MasterCard’s “got its flippy-floppies.”

The deadline change especially, Williams tells Digital Transactions News, undermines merchants’ perception that they really do need to work toward meeting the PCI rules by a set time. “People are not going to take them seriously,” he says.

MasterCard wouldn’t comment about the consultants’ assessments.