Mastercard Requires QSA or ISA for Level 2 Merchants

The standard for handling credit card data is set by the PCI (Payment Card Industry) SSC (Security Standards Council). However, each card brand, Visa, Mastercard, AmEx, Discover and JCB, manages its own specific compliance program. Requirements for becoming compliant and reporting are set by each card brand. Even though each programs requirements are similar, there are slight variations in certain particular details as to how they apply to different merchants.

Mastercard's Site Data Protection (SDP) Program

In this article we focus on the MasterCard requirements for Level 2 Merchants. Mastercard level 2 merchants are those processing 1 million to 6 million card transactions per year1. If you are within this range you are a Mastercard Level 2 Merchant unless your Acquiring Bank has informed you otherwise. There are special circumstances where the acquiring bank may designate a level 2 merchant to meet Level 1 compliance standards. For instance, if a merchant has experienced a data security breach the card brand may at their discretion move the merchant up to a higher level of compliance. In this situation the Acquiring Bank will inform the merchant of this requirement. Otherwise merchants in this transaction range would follow Level 2 compliance standards.

The Mastercard compliance program calls for level 2 merchants to either perform a self-assessemnt or engage with a PCI QSA and conduct an onsite assessment of their IT environment, specifically as it relates to the handling of card holder data. This is similar to the other card brand's compliance programs, except that Mastercard requires that either a QSA or ISA be involved in the process2. When electing to self-assess, the culmination of this assessment is the completion of an SAQ (Self-Assessment Questionnaire) to attest that you are compliant with the PCI DSS (Data Security Standard). The assessment and resulting SAQ may not simply be completed by any employee of the merchant. A PCI QSA, such as Aeris Secure, must be involved in the assessment and the completion of the SAQ or the merchant must have staff holding a PCI ISA (Internal Security Assessors) credential conducting the self-assessment. This requirement is unique to the Mastercard Compliance program. The other card brands do not require the involvement of a QSA or ISA in a level 2 merchant’s self-assessment.

PCI Internal Security Assessor (ISA)

For a merchant’s employees to receive the ISA credential PCI offers an annual training which the employee must attend. Level 2 merchants that opt not to utilize the services of a QSA to attest to their compliance must send staff to this ISA training and they must pass the certification test to qualify for the ISA certification. ISA employees are also required to re-qualify annually to maintain their ISA certification. To attend the ISA course there is a prerequisite online training that covers the fundamentals of PCI. This is followed by the actual qualification training which is a two day course conducted at a training location established by PCI. Requalification for existing ISAs can be taken online. As of this writing the fees for the ISA training range from $1095 - $3950/employee/year. The rate depends upon your company’s status with PCI and whether it is an initial training or requalification.

The involvement of a QSA or ISA in the self-assessment process and completion of the SAQ was mandated by Mastercard when they updated their compliance program's requirements in June 2012.

The Choice - Pros and Cons

To recap, level 2 merchants have the option of using an outside QSA or train and certify their own ISA employees to perform their assessment and complete the SAQ function. There are benefits to each. A QSA brings a depth of knowledge and experience gained from across the industry and may bring efficiencies to your assessment by having performed numerous engagements.

At Aeris Secure we take special care to minimize the disruption to your daily functions. We realize that you have a business to run. Our assessment methodology is developed with you in mind to make your assessment as seamless as possible. You will be able to concentrate on your core business. While there is something to be said for having the in-house ability to perform your assessment with an ISA, your IT personnel most likely are already busy with day to day responsibilities. Compliance has a deadline each year. Meeting these deadlines can be difficult if your ISA is burdened with day to day responsibilities.


Mastercard - Site Data Protection Program (SDP)

Visa Cardholder Information Security Program (CISP)

Discover Information Security & Compliance Program (DISC)

American Express Data Security Operating Policy

JCB Data Security Program

  1. Level 2 criteria differ between card brands. This is the criteria for MC.  

  2. See Footnote 4 on 


Call us at (214) 556-6613 or   CONTACT US