Emerald Business Systems Blog

MasterCard/Visa Remove Reciprocity

Posted in PCI by ebs4pos on October 25, 2009

Thanks to a fellow reader for pointing this out! It appears that MasterCard and Visa (sorta) have removed the reciprocity statements from their level definitions. Discover still has the reciprocity statement on their levels, American Express and JCB never used reciprocity for their level definitions (to my best recollection).

Several industry insiders have been told that it was never the intent of MasterCard to force a merchant that accepts a single JCB card to go through an on-site assessment if they did not meet the MasterCard threshold. Now it appears that this is the case as the official merchant level definitions reflect exactly this.

Unfortunately, the road does not end there. In fact, it starts forking like crazy.

Now that reciprocity is gone, you have to take each card brand’s volume INDIVIDUALLY in order to determine your level and requirements. As you know, each brand may end up with different validation requirements depending on where you fall in the spectrum. For example, a merchant processing 2,000 Discover, 2 Million MasterCard, and 50,000 non-ecommerce Visa transactions annually is considered a level 2 with MasterCard & Discover, and a level 4 with Visa. This means they must have an on-site assessment thanks to MasterCard’s program (facing fines if you don’t) and submit a SQL to Discover, yet are not required to submit anything for Visa. WOW! Can it GET any more complex?


Visa Canada still uses reciprocity in their merchant levels and still requires QSAs to attest to merchants’ SAQs. For some strange reason, it appears that Level 1 Visa merchants in Canada must do both an SAQ and a ROC? I think there is a typo there, but I could be wrong.

Your merchant level discussion just got much more complex. If all else fails, your best bet is to list out your annual card acceptance rates by brand, and double check the levels on their website to determine what you need to do. This is an important discussion to have with your QSA (if you use one) to make sure that all of the reporting criteria are met.

via Branden Williams’s Security Convergence Blog » MasterCard/Visa Remove Reciprocity.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: