The Green Sheet Online Edition
August 27, 2007 • Issue 07:08:02
Visa's vigilance pays off, PCI compliance takes off
Visa U.S.A. took the lead in launching the Payment Card Industry (PCI) Data Security Standard Compliance Acceleration Program (CAP) in 2006. Now the campaign to boost data security is bearing fruit. PCI CAP uses incentives and fines to compel errant merchants to change lax security practices.
And in July 2007, Visa reported that 96% of the largest businesses accepting Visa bankcards confirm they no longer store sensitive account data, including security codes and PINs.
Michael E. Smith, Visa's Senior Vice President of Enterprise Risk and Compliance, said that by removing "prohibited data" from payment systems, businesses "are denying hackers the data they covet for use in counterfeiting payment cards and are thus making their businesses and the payments system more secure."
Acquirers reported to Visa the following levels of compliance with PCI CAP as of July:
- Level 1 merchants: 40% had validated compliance; 50% had submitted initial validation reports and were working to remedy deficiencies.
- Level 2 merchants: 33% had validated compliance; 42% had submitted initial validation reports and were working to remedy deficiencies.
- Level 3 merchants: 52% had validated compliance; 22% had submitted initial validation reports and were working to remedy deficiencies.
Expanded scrutiny ahead
Visa's early compliance efforts focused on larger businesses. Recently, the company zeroed in on smaller businesses (level 4 merchants), as well as the acquirers and processors that service them. (See "Who's minding the small-business store, Visa wants to know," The Green Sheet, Aug. 13, 2007, issue 07:08:01.)
"Although some progress has been made among large merchants, it's clear that fraud will migrate to the weakest link," said Avivah Litan, Vice President and Distinguished Analyst for research firm Gartner Inc. "Any efforts by the industry to reinforce the system's armor, especially among small businesses, is a good approach," she said.
To this end, Visa has partnered with the National Federation of Independent Business to offer on the Web site www.nfib.org educational materials, webinars and other online tools to help businesses achieve PCI compliance.
Additionally, the card Association has a list of comp-liant service providers online at www.usa.visa.com/download/merchants/cisp_list_of_cisp_compliant_service_providers.pdf.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.