Coalfire Announces PCI Level 2 Merchant Support Program

Share Article

New MasterCard Site Data Protection rules take effect June 30, 2012 catching many Level 2 merchants unprepared

News Image
The ISA training program – and by extension, an internally-led PCI attestation –is a great strategy for many merchants

According to the rules set forth by the major credit card brands and the Payment Card Industry Security Standards Council, all merchants that store, process or transmit cardholder data must be PCI compliant. On June 30, 2012, the process for validating compliance via a Self-Assessment becomes significantly more rigorous for MasterCard’s Level 2 merchants: Self-Assessments must be completed by employees that have attended PCI SSC Internal Security Assessor (ISA) training and have passed the associated accreditation program annually.

“MasterCard’s guidelines were first published in 2009, but many merchants have yet to send employees to ISA training. And even if they have, company officers may not want to sign their name to a Self-Assessment report developed solely by a rookie ISA.” said Kurt Hagerman, Coalfire’s PCI practice leader. “The ISA training program – and by extension, an internally-led PCI attestation –is a great strategy for many merchants. But the program isn’t a shortcut to validation. All the PCI 2.0 requirements still apply, and merchants still need a fully-documented, evidence-backed, report to protect themselves.”

To help those merchants, Coalfire has developed a “PCI Level 2 Merchant Support Program”. There are four elements to the program:

Free use of Navis Rapid SAQ, a cloud-based solution for completing and maintaining a Self-

1. Assessment Questionnaire

2. Discounts on:
     a. Navis Scan Complete, Coalfire’s subscription service for internal and external vulnerability scans (as required to meet PCI requirement 11.2)
     b. Internal and External Penetration tests (as required to meet PCI requirement 11.3),

3. A Gap Analysis program, led by a Coalfire Qualified Security Assessor, designed to jump-start an ISA-led compliance validation effort.

4. An On-site Assessment by a Coalfire QSA, leading to an auditor-signed Report on Compliance. Merchants may use a Coalfire ROC as an alternative to an ISA-led validation.

This program is available to anyone who can demonstrate that they have been classified by their processors as a Level 2 merchant.

According to MasterCard, a Level 2 merchant is:

-Any merchant with more than one million but less than or equal to six million total combined MasterCard and Maestro transactions annually, or
-Any merchant meeting the Level 2 criteria of Visa

Rick Dakin, Coalfire’s CEO and chief security strategist, adds “There are thousands of Level 2 merchants in the US alone, and many of those will be asked for an ISA-signed SAQ or a report by an independent assessor like Coalfire. As the industry’s leading independent QSA, we know how much work is required to do an accurate assessment. That’s why we developed this program. We want to help them get more secure and avoid whatever fines and penalties banks might impose for non-compliance.”

For further information click here.

About Coalfire
Coalfire is a leading, independent information technology Governance, Risk and Compliance (IT GRC) firm that provides IT audit, risk assessment and compliance management solutions. Founded in 2001, Coalfire has offices in Dallas, Denver, Los Angeles, New York and Seattle and completes thousands of projects annually in retail, financial services, healthcare, government and utilities. Coalfire’s solutions are adapted to requirements under emerging data privacy legislation, the PCI DSS, GLBA, FFIEC, HIPAA/HITECH, NERC CIP, Sarbanes-Oxley and FISMA. For more information, visit

# # #

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Stephanie Vanderholm
Visit website