GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Turbulence expected for 1099-K reporting, be prepared


Industry Update

Washington takes a second look at Durbin

Big card brands, big banks hit with more antitrust suits

CEOs advise wait and see at ETA forum

Update feeds need for more PTS guidance


Legislative update, November 2011

Five key lessons e-commerce merchants can learn from the 2010 holiday season

Michael Duffy
Chase Paymentech Solutions LLC

Research Rundown

Give, inspire and flourish

Selling Prepaid

Prepaid in brief

Union Privilege makes savings a plus

Holiday gift cards get personal


ISOs and the new frontier of payments

Brandes Elitch
CrossCheck Inc.


Street SmartsSM:
Agent training - more than taking a test

Bill Pirtle
C3ET Credit Card Consortia for Education & Training Inc.

When big money meets small ISOs

Adam Atlas
Attorney at Law

Country-specific alternative payments

Caroline Hometh
RocketPay LLC

Visa to eliminate PCI DSS requirements with EMV - not

Linda Grimm
Linda Grimm Consulting

How does a credit card salesperson learn to sell POS?

Jerry Cibley
United Bank Card Inc.

PR and press release basics

Peggy Bekavac Olson
Strategic Marketing

Managing infrastructure in a virtual world

Tim Cranny
Panoptic Security Inc.

Caution: Assumptions ahead

Jeff Fortney
Clearent LLC

Company Profile

POS Portal Inc.

New Products

TIN matching simplified

TIN Matching Service
SecurityMetrics Inc.

Authenticate and process with one touch

OneTouch Mobile Payment
Admeris Payment Systems Inc.


Choose to be grateful



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

November 14, 2011  •  Issue 11:11:01

previous next

Visa to eliminate PCI DSS requirements with EMV - not

By Linda Grimm

Remember what your mother told you: if it sounds too good to be true, it probably isn't true. Don't change your sales pitch just yet; the Payment Card Industry (PCI) Data Security Standard (DSS) is not going away.

I've been hearing rumors about Visa Inc.'s push for adoption of EMV. For those of you unfamiliar with the acronym, EMV stands for Europay/MasterCard/Visa and refers to the chip-enabled devices that help to reduce fraud in face-to-face transactions. The comments I've been getting sound something like, Have you heard? Visa is going to eliminate PCI DSS compliance for merchants using EMV enabled devices!

Not so fast

Hmmm, really? While this sounds sexy and, I'm sure, makes a great sales pitch (Hey, Mr. Merchant, buy this chip enabled terminal from me for $200, and you won't have to mess with expensive and time consuming PCI DSS compliance), can it really be true?

Naturally, having a risk/compliance mindset, I was skeptical. I've been working with the PCI DSS and Visa's Cardholder Information Security Program for longer than I care to admit, and the notion that Visa would exempt merchants from complying with the PCI DSS just because they use EMV chip-enabled technology seems unrealistic and irrational to me.

If you talk to any self-respecting compliance or risk manager in the industry, I think you'll get a similar perspective. I am not saying EMV would not be an improvement in the security of transaction processing; it would be. However, to say that merchants don't have to comply with the PCI DSS is a stretch.

What Visa said

Let's take a look at what Visa is saying and what it really means. The Aug. 9, 2011, Visa Bulletin entitled "Visa Announces Plans to Accelerate Chip Migration and Adoption of Mobile Payments" states the card brand's plan includes:

This is a noble plan and one I hope will help spur action within the industry to move to EMV chip-enabled terminals, as clearly that is a more secure method of processing than mag-stripe. However, let's look at what Visa is actually saying about PCI DSS requirements. Visa's Aug. 9 bulletin states it will waive PCI DSS compliance validation requirements to encourage merchants to invest in contact and contactless chip payment terminals.

Further, in the "Visa Expands Technology Innovation Program for U.S. Merchants to Adopt Dual Interface Terminals" bulletin, also published on Aug. 9, Visa describes the expansion of the Technology Innovation Program (TIP) into the United States, effective October 2012.

This program eliminates the requirement that eligible merchants annually validate their compliance with PCI DSS for any year in which at least 75 percent of the merchant's Visa transactions originate from dual-interface EMV chip-enabled terminals, in addition to meeting other qualification criteria.

That sounds easy enough. All you need is to process 75 percent of your transactions through an EMV chip-enabled terminal and your requirement to validate compliance with the PCI DSS is waived, right? Wrong. Note the terms in the above excerpt, key words are "eligible merchants," "dual-interface" and "other qualification criteria."

The nitty gritty

What, you mean there are other qualifications? My skepticism seems well justified at this point. What are the additional qualifications, you ask? They include:

But wait, there's more: Visa will require the acquirer to submit a program application for each "qualifying" merchant, which will be reviewed, verified and approved by Visa. Additionally, the acquirer will have specific reporting requirements for qualified and approved merchants, the details of which were not published.

Not for mom-and-pops

And for anyone who still thinks that selling a merchant an EMV chip-enabled terminal will eliminate the merchant's burden to become and remain PCI DSS compliant, the coup de grƒce, and I quote: "Although Visa may waive the annual validation requirement for qualifying merchants, all merchants are required to maintain ongoing PCI DSS compliance.

"Acquirers retain full responsibility for merchants' PCI DSS compliance, as well as responsibility for any fees, fines or penalties that may be applicable in the event of a data breach."

The world of "eligible" merchants has gotten very small; this push by Visa to expand EMV chip-enabled technology into the U.S. market is clearly directed at Level 1, big-box merchants, which make up what percent of your portfolio? I thought so.

As I mentioned before, this is a noble effort, and Visa's approach makes sense. Incent the big guys to adopt the acceptance technology, thereby creating an environment that will foster greater demand from consumers and, hopefully, result in greater adoption by issuers of initiatives to issue chip-enabled cards and lower fraud rates in the U.S. retail market.

However, this push does not impact the majority of merchants. The incentive for adopting the technology for the smaller merchant that will not qualify for the TIP program is a reduction in fraud and eventually a shift in liability, but that conversation is for another article.

Linda Grimm is a seasoned payments executive holding a Certified Information Privacy Professional (CIPP) accreditation who has worked for national and international merchant acquirers. She has extensive knowledge and expertise in the area of Merchant Acquiring Operations including risk mitigation and regulatory compliance. For questions or consulting services you can reach Linda at 707-834-5147 or via email at

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Board Studios