VISA has announced an extraordinary policy that will relieve merchants outside the U.S. of the requirement to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS) if they process at least three-quarters of their VISA transactions from chip-enabled terminals.
The new PCI policy, intended as in incentive to speed up deployment of so-called Europay-MasterCard-VISA (EMV) chip-and-PIN system, represents the first time a major card network has offered to exempt merchants from the full PCI validation requirement since the data security standard was introduced six years ago.
Many regions of the world, including Canada, have rolled out or are starting to rollout EMV, which ultimately replaces magnetic stripes with chips embedded in credit cards that store and protect cardholder credentials. In conjunction with the chips is data authentication is a security technology that VISA has been heavily promoting which lets the chip transmit back to the issuer a cryptographic message that authenticates the card as genuine. The message changes with each transaction, so it is useless if intercepted.
The Technology Innovation Program is intended to give merchants an incentive to install and use EMV by relieving them of the costs and burdens of PCI-compliance validation, says VISA. To qualify for the program, a merchant must have installed and enabled chip-reading terminals. The terminal has to be enabled, it can’t just be capable, and the merchant must also have previously validated its PCI compliance or have submitted a plan to do so, not have sustained a data breach recently, not store card data; and compwith PCI, even if it no longer has to prove that compliance.
VISA is excluding the U.S. market from the Technology Innovation Program, citing uncertainties created by the Durbin Amendment to the Dodd-Frank Act. That law, along with implementing rules proposed by the Federal Reserve, will drastically cut the debit card interchange income flowing to issuers. While the amendment makes allowances for issuers’ fraud-fighting expenses, how costs for EMV and other such technologies might ultimately be incorporated into the Fed’s rules remains unclear. The Fed released its proposal in December and is expected to issue final rules by April 21.
While VISA specifies that the exemption is from documenting a merchant's PCI compliance, not from achieving it, this incentive program still raises questions about using the compliance procedures as a kind of bargaining chip. A large part of the "burden" of PCI compliance is in the testing and record-keeping needed to prove that effective and mandated procedures have been implemented. With no requirement to have these proven by a Qualified Security Assessor or a properly trained in-house employee, PCI is essentially enforced on "the honor system," which is currently only applicable to the very smallest merchants, not those of any significant size. Moreoever, allowing merchants to sidestep the "hard part" of an industry standard in exchange for the adoption of the processor's technology seems like a "gaming" of the system that compromises the legitimacy of the entire transaction security standards program. If it's illegitimate for merchants to cut corners, why should it be OK for VISA to bribe some merchants into doing so?