By Ken Musante
Eureka Payments LLC
By number of cards accepted, large merchants handle many more card numbers than smaller merchants, in aggregate, even though there are a greater number of smaller merchants. Visa Inc. places additional validation requirements on larger merchants for Payment Card Industry (PCI) Data Security Standard (DSS) compliance to account for this additional responsibility and has four separate validation levels depending on merchant size.
The smallest merchant level is for merchants who process fewer than 20,000 Visa e-commerce transactions annually or any other transaction types up to 1 million annual Visa transactions. These merchants are in Level 4, and the compliance validation requirements are set by the acquirer. Level 3 merchants process 20,000 to 1 million e-commerce transactions annually. I am pleased to share that as of July 1, 2014, Visa is implementing a new program that can shield acquirers and their merchants for a significant portion of the fees should a Level 3 or 4 merchant be compromised.
Visa grouped merchants by Level so it can focus its attention on the larger merchants who handle the greatest number of cards. However, because of the sheer number of Level 3 and Level 4 merchants, by merchant, approximately 90 percent of all breaches occur at these smaller merchants, even if the number of cards compromised is dwarfed by the number compromised from merchants in Levels 1 and 2.
In an attempt to encourage Level 3 and 4 merchants to comply with PCI requirements and prod acquirers to mandate and monitor for compliance, Visa is implementing a new program to incent these merchants to implement security controls. This should reduce the number of compromises at these smaller merchants.
Reducing such compromises is of tremendous value to cardholders, issuers, merchants and the card networks. It will foster best practices at merchant locations, reduce paperwork filing at Visa and promote goodwill among cardholders. The new program is called the Secure Acceptance Incentive Program and it was effective July 1, 2014.
The program encourages acquirers to ensure their Level 3 and 4 merchants better protect cardholder data by granting a safe harbor from Visa's noncompliance fines in the event of a compromise. In order to achieve safe harbor the merchants must implement at least one of the following security measures prior to the date of compromise:
Option 1: Fully enabled Europay/MasterCard/Visa (EMV) terminals are in use at all POS acceptance locations and cardholder data must not be captured on systems other than the EMV terminals.
Option 2: A Visa Ready-approved mobile POS (mPOS) vendor solution is in use at all acceptance locations and cardholder data must not be captured on systems other than the EMV terminals.
Option 3: A PCI-validated point-to-point encryption (P2PE) solution is in use at all acceptance locations and unencrypted cardholder data must not be stored, processed or transmitted.
Option 4: Onsite PCI DSS validation has been performed by a Qualified Security Assessor or an Internal Security Assessor within the previous 12 months.
Option 1: All card payment acceptance activities are outsourced to a PCI DSS-validated gateway or digital wallet provider and cardholder data must not be stored, processed or transmitted.
Option 2: A Payment Application Data Security Standard (PA-DSS)-validated payment application is in use, annual network and application penetration tests have been completed and data discovery scans are performed quarterly to confirm cardholder data is not stored after a transaction is completed. And all vulnerabilities identified in penetration tests must be remediated within 60 days, and cardholder data identified in a data discovery scan must be deleted from the merchant system within 30 days of identification.
Additionally, subsequent tests must be conducted to confirm remediation of all findings. Network and application penetration tests should be performed in accordance with PCI DSS requirement 11.3. A data discovery scan must, at a minimum, scan for primary account number; Track 1 and Track 2 data at all storage locations; and within file contents of commonly used document formats (for example, Word, PDF and Excel) and plain text or compressed file formats (for example, ".zip", ".rar," ".tar" and ".gz").
Option 3: Onsite PCI DSS validation has been performed by a Qualified Security Assessor or an Internal Security Assessor within the previous 12 months.
In order to take advantage of the program, acquirers must provide Visa with additional reporting on their merchants' implementation of the security controls. The safe harbor applies only to Visa noncompliance fines and is not applicable to any additional obligations, including other card network fines and the Global Compromised Account Recovery program.
While any fine or liability can be disastrous, especially when adding the total costs for a breach and remediation, this program can certainly take some of the insult out of the injury. Further, I believe Visa is recognizing that even if Level 3 and 4 merchants cannot or do not fully comply with all relevant PCI requirements, there are practical steps they can take to reduce risks to all parties.
I applaud this practical approach, especially with the rapid conversion away from dial terminals to high-speed terminals and POS solutions that are inherently more vulnerable to a breach. Well done.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next