PCI Merchant Levels Cleared or Confused?

Branden Williams writes that Visa and MasterCard have pulled the "reciprocity" from their merchant level definitions (see here). For those of you not up on all the details, I'll try and explain what's going on.

Let's say you have 1 million Visa transactions a year and 500,000 (non-ecommerce) MasterCards (Visa is the larger brand, so this ratio is reasonable). According to Visa you would be a Level 2, and according to MasterCard you would be a Level 4. So far, so good. However, this is where the "reciprocity" part kicks in.

Reciprocity meant that if one brand rated you as a higher merchant level, you would be that higher merchant level for other brands, too. In our case above, while you were a Level 2 (Visa) and a Level 4 (MasterCard) based solely on your card activity, with reciprocity you would be a Level 2 for both brands.

Now in the past the different merchant levels didn't matter a lot since you would pick your SAQ, do your quarterly scans, and that was it for merchant levels. No big deal...until a few months ago, that is.

As I described in a previous blog post, the game changed this summer when MasterCard announced Level 2 merchants would be required (by December 2010) to validate their PCI compliance with an outside assessment by a QSA. Suddenly, reciprocity became a pretty big deal as merchants who didn't have that many MasterCard transactions found that they were required to have an outside assessment because "reciprocity" made them a Level 2 merchant.

Initially, I put this down to the Law of Unintended Consequences. It appears that after thinking it over (and if friend Branden and I are both reading the MasterCard Merchant Levels correctly) MasterCard has removed "reciprocity" from its definitions.

Where does this leave us?

While each of the brands reserves the right to escalate your merchant level based on a breach or their judgement (Any merchant that MasterCard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system), it looks like we are back to counting your transactions by brand and comparing them to the brands' guidelines.

This may...just may...be a case where common sense wins out. I'm sure MasterCard had no plan to snare smaller merchants into a more expensive compliance regime. So if your MasterCard volume makes you a Level 2 merchant, you need to have your validation assessed by a QSA. But it looks like if you were a victim of reciprocity, you may have just dodged a (financial) bullet.