With the new year comes new PCI information, even if that info really came out last year and no one paid attention. What do I mean? Read on…
Not many people noticed Visa’s announcement last month detailing changes to merchant and – importantly – third-party processor PCI compliance. I thought I’d try to shed some light on what may end up being significant both to Higher Ed institutions and your service providers.
The objectives of
Visa’s November 18 Security Bulletin (which followed an earlier press release on the same topic) are to increase PCI compliance and to harmonize validation requirements for Visa merchants and processors worldwide. The changes are effective February 1. While the bulletin states that there is nothing new for US merchants, a couple of things caught my attention and there are potentially significant changes for US third-party providers.
Merchant Levels. The bulletin states:
Acquirers are responsible for identification of merchant validation level based on the number and type of transactions processed by that acquirer...Merchant level identification is based on the corporate entity’s total volume meeting the transaction thresholds in one country or with one acquirer per year. Volume from independently owned and operated merchant locations (e.g., franchisee, licensee) may be excluded if it is not handled by the corporate entity.
Note the part about “Merchant level is based on the corporate entity’s total volume”. If acquirers interpret this to mean the entire school’s volume counts toward its merchant level, some schools may find that instead of a lot of Level 4 merchants they are now a single Level 2 or 3 merchant. I don’t want to raise any alarms here because in reality, this might not be a big deal so long as you don’t get thrown into Level 1 (over 6 million Visa transactions annually). That is, you still self-assess, and you still don’t need a QSA to validate your compliance. Remember for Levels 2-4 compliance validation is the same: what matters most is how you take cards and, therefore, which SAQ you use. Your merchant level is not that important. Nevertheless, my suggestion is to check with your acquirer/processor to see if there will be any change to your merchant level in the coming year.
Compliance reporting. The bulletin reiterated that Visa will require acquirers to report compliance for all their Level 1, 2, and 3 merchants twice a year. The message to me is that Visa (and probably the other brands, too) are increasingly emphasizing merchant compliance. If you combine this requirement with
Visa’s October ‘07 mandates for L4 merchants, it looks like the brands’ emphasis is definitely moving to monitoring PCI compliance for all merchants.
New Service Provider Levels. The biggest news was the new Service Provider definitions. Effective February 1, Visa is reducing from three to two the number of Service Provider Levels, and they are dropping the transaction threshold for Level 1 dramatically. The cutoff will be just 300,000 Visa transactions annually – it used to be 1 million. If you process more than that, you are a Level 1 Service Provider; process less and you are a Level 2; there is no more Level 3.
I am surprised there has not been more attention paid to this change. If you are (or you use) a Level 2 or 3 Service Provider, stop what you’re doing and read the
Bulletin. Your PCI compliance costs may increase under the lower transaction threshold.
What does it mean to you as a school? A couple of things. First, check if any of your smaller third-party providers might now be “promoted” to Level 1. If so, they may need to update/upgrade their compliance validation and you need to check that they do it. Second, if you have any outside organizations using your school’s network to processes card transactions (I’m thinking food or other franchises, even some affiliates) you might be considered a Service Provider. You don’t want that. Free advice: get them off your network. Lastly, in the fine print of the Bulletin Visa notes that their
CISP List of Compliant Service Providers will henceforth list only Level 1s. So if you are using a third-party and they are not on the list, don’t immediately start tearing up their contract. Maybe they are still compliant as a L2.
If a security bulletin falls in the forest and there is no one there to hear it (apologies to Bishop Berkeley), does it still have an impact? I’d say it might. Send me an email or give a call if you have any questions. Happy New Year.