The Green Sheet Online Edition
November 14, 2011 • Issue 11:11:01
Visa to eliminate PCI DSS requirements with EMV - not
Remember what your mother told you: if it sounds too good to be true, it probably isn't true. Don't change your sales pitch just yet; the Payment Card Industry (PCI) Data Security Standard (DSS) is not going away.
I've been hearing rumors about Visa Inc.'s push for adoption of EMV. For those of you unfamiliar with the acronym, EMV stands for Europay/MasterCard/Visa and refers to the chip-enabled devices that help to reduce fraud in face-to-face transactions. The comments I've been getting sound something like, Have you heard? Visa is going to eliminate PCI DSS compliance for merchants using EMV enabled devices!
Not so fast
Hmmm, really? While this sounds sexy and, I'm sure, makes a great sales pitch (Hey, Mr. Merchant, buy this chip enabled terminal from me for $200, and you won't have to mess with expensive and time consuming PCI DSS compliance), can it really be true?
Naturally, having a risk/compliance mindset, I was skeptical. I've been working with the PCI DSS and Visa's Cardholder Information Security Program for longer than I care to admit, and the notion that Visa would exempt merchants from complying with the PCI DSS just because they use EMV chip-enabled technology seems unrealistic and irrational to me.
If you talk to any self-respecting compliance or risk manager in the industry, I think you'll get a similar perspective. I am not saying EMV would not be an improvement in the security of transaction processing; it would be. However, to say that merchants don't have to comply with the PCI DSS is a stretch.
What Visa said
Let's take a look at what Visa is saying and what it really means. The Aug. 9, 2011, Visa Bulletin entitled "Visa Announces Plans to Accelerate Chip Migration and Adoption of Mobile Payments" states the card brand's plan includes:
- Merchant incentives to upgrade to EMV chip-enabled terminals
- Requirements for acquirer processors to support chip acceptance
- Introduction of U.S. liability shift policies
This is a noble plan and one I hope will help spur action within the industry to move to EMV chip-enabled terminals, as clearly that is a more secure method of processing than mag-stripe. However, let's look at what Visa is actually saying about PCI DSS requirements. Visa's Aug. 9 bulletin states it will waive PCI DSS compliance validation requirements to encourage merchants to invest in contact and contactless chip payment terminals.
Further, in the "Visa Expands Technology Innovation Program for U.S. Merchants to Adopt Dual Interface Terminals" bulletin, also published on Aug. 9, Visa describes the expansion of the Technology Innovation Program (TIP) into the United States, effective October 2012.
This program eliminates the requirement that eligible merchants annually validate their compliance with PCI DSS for any year in which at least 75 percent of the merchant's Visa transactions originate from dual-interface EMV chip-enabled terminals, in addition to meeting other qualification criteria.
That sounds easy enough. All you need is to process 75 percent of your transactions through an EMV chip-enabled terminal and your requirement to validate compliance with the PCI DSS is waived, right? Wrong. Note the terms in the above excerpt, key words are "eligible merchants," "dual-interface" and "other qualification criteria."
The nitty gritty
What, you mean there are other qualifications? My skepticism seems well justified at this point. What are the additional qualifications, you ask? They include:
- Terminals must be enabled to support both EMV contact and contactless chip acceptance, including contactless based on near field communication technology.
- The merchant must have validated PCI DSS compliance within the previous 12 months or have submitted to Visa a defined remediation plan for achieving compliance, based on a gap analysis.
- The merchant must have confirmed that sensitive authentication data (that is, full contents of magnetic stripe, Card Verification Value 2 and/or PIN data) is not stored, as defined in the PCI DSS.
- At least 75 percent of the merchant's total transaction count must originate from dual-interface enabled chip-reading device terminals.
- The merchant must not be involved in a breach of cardholder data. Breached merchants may qualify for TIP if they have subsequently validated PCI DSS compliance.
- Merchants whose transaction volume is primarily from e-commerce and MO/TO acceptance channels are still required to validate PCI DSS compliance annually.
But wait, there's more: Visa will require the acquirer to submit a program application for each "qualifying" merchant, which will be reviewed, verified and approved by Visa. Additionally, the acquirer will have specific reporting requirements for qualified and approved merchants, the details of which were not published.
Not for mom-and-pops
And for anyone who still thinks that selling a merchant an EMV chip-enabled terminal will eliminate the merchant's burden to become and remain PCI DSS compliant, the coup de grƒce, and I quote: "Although Visa may waive the annual validation requirement for qualifying merchants, all merchants are required to maintain ongoing PCI DSS compliance.
"Acquirers retain full responsibility for merchants' PCI DSS compliance, as well as responsibility for any fees, fines or penalties that may be applicable in the event of a data breach."
The world of "eligible" merchants has gotten very small; this push by Visa to expand EMV chip-enabled technology into the U.S. market is clearly directed at Level 1, big-box merchants, which make up what percent of your portfolio? I thought so.
As I mentioned before, this is a noble effort, and Visa's approach makes sense. Incent the big guys to adopt the acceptance technology, thereby creating an environment that will foster greater demand from consumers and, hopefully, result in greater adoption by issuers of initiatives to issue chip-enabled cards and lower fraud rates in the U.S. retail market.
However, this push does not impact the majority of merchants. The incentive for adopting the technology for the smaller merchant that will not qualify for the TIP program is a reduction in fraud and eventually a shift in liability, but that conversation is for another article.
Linda Grimm is a seasoned payments executive holding a Certified Information Privacy Professional (CIPP) accreditation who has worked for national and international merchant acquirers. She has extensive knowledge and expertise in the area of Merchant Acquiring Operations including risk mitigation and regulatory compliance. For questions or consulting services you can reach Linda at 707-834-5147 or via email at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.