According to the rules set forth by the major credit card brands and the Payment Card Industry Security Standards Council, all merchants that store, process, or transmit cardholder data must be PCI compliant.

On June 30, 2012, the process for validating compliance via a Self-Assessment becomes significantly more rigorous for MasterCard’s Level 2 merchants: Self-Assessments must be completed by employees that have attended PCI SSC Internal Security Assessor (ISA) training and have passed the associated accreditation program annually.

“MasterCard’s guidelines were first published in 2009, but many merchants have yet to send employees to ISA training. And even if they have, company officers may not want to sign their name to a Self-Assessment report developed solely by a rookie ISA,” says Kurt Hagerman, Coalfire’s PCI practice leader.

“The ISA training program–and by extension, an internally-led PCI attestation–is a great strategy for many merchants. But the program isn’t a shortcut to validation. All the PCI 2.0 requirements still apply, and merchants still need a fully-documented, evidence-backed report to protect themselves.”

To help those merchants, Coalfire has developed a PCI Level 2 Merchant Support Program. There are four elements to the program:

  • Free use of Navis Rapid SAQ, a cloud-based solution for completing and maintaining a Self-Assessment Questionnaire
  • Discounts on:
    • a. Navis Scan Complete, Coalfire’s subscription service for internal and external vulnerability scans (as required to meet PCI requirement 11.2)
    • b. Internal and external penetration tests (as required to meet PCI requirement 11.3)
  • A gap analysis program, led by a Coalfire-qualified security assessor, designed to jump-start an ISA-led compliance validation effort.
  • An on-site cssessment by a Coalfire QSA, leading to an auditor-signed report on Compliance. Merchants may use a Coalfire ROC as an alternative to an ISA-led validation.


This program is available to anyone who can demonstrate that they have been classified by their processors as a Level 2 merchant.

According to MasterCard, a Level 2 merchant is: any merchant with more than one million but less than or equal to six million total combined MasterCard and Maestro transactions annually or 
any merchant meeting the Level 2 criteria of Visa.

“There are thousands of Level 2 merchants in the U.S. alone, and many of those will be asked for an ISA-signed SAQ or a report by an independent assessor like Coalfire,” says Rick Dakin, Coalfire’s CEO and chief security strategist.

“As the industry’s leading independent QSA, we know how much work is required to do an accurate assessment. That’s why we developed this program. We want to help them get more secure and avoid whatever fines and penalties banks might impose for non-compliance.”

For further information click here.

Back of House, Finance, Legal, News