Effective 31 March 2011, Visa will allow qualifying merchants outside of the United States to discontinue their annual Payment Card Industry Data Security Standard (PCI DSS) revalidation assessment.
Note that this doesn’t mean that if you use EMV you are exempt from PCI Compliance (more on this below)
It is nice to see that Visa is rewarding investments in EMV and Card Authenication with a potential of lower PCI compliance costs:
Many merchants have invested time and money in the purchase, deployment and enablement of EMV POS terminals. These merchants have also invested in annual PCI DSS compliance assessments, which may require the use of a Qualified Security Assessor and can be a significant expense. Visa is introducing the Technology Innovation Program to assist merchants in reducing the costs associated with annual PCI DSS validation.
If you are a non-US merchant and perform the following you are a qualified merchant:
1. The merchant must have validated PCI DSS compliance previously or have submitted to Visa (via their acquirer) adefined remediation plan for achieving compliance based on a gap analysis.
2. The merchant must have confirmed that sensitive authentication data (i.e., the full contents of magnetic stripe CVV2 or PIN data) is not stored, as defined in the PCI DSS.
3. At least 75 percent of the merchant’s transaction count must originate from enabled chip-reading device terminals (i.e., contact and/or dual interface contact/contactless terminals).
4. The merchant must not be involved in a breach of cardholder data. A breached merchant may qualify for TIP if it has subsequently validated PCI DSS compliance.
What about US Merchants ?
Visa has this to say about this program in the United States:
Despite industry interest in chip and dynamic data authentication, the program is not currently available in the United States because recent debit card regulation has cast uncertainty in the marketplace. Visa Inc. may consider implementation of TIP in the United States at a later date based on evolving environmental circumstances.
I think this announcement adds a new dynamic in the form of a potential incentive as it relates to EMV adoption in the US. US Merchants may now, in the near future, have an incentive or a discount to consider for EMV implementation (assuming implementation of EMV processing infrastructure) in the form of less annual PCI compliance validation costs in the form of on-site audits to offset implementation of new card acceptor devices and updated payment software to support EMV.
If I use EMV we don’t need to be PCI compliant !!!
This is a fallacy that I fear that will echo. This announcement relates to the validation of compliance, not for on-going compliance to the PCI DSS, as stated by Visa below:
Although Visa may waive the annual validation requirement for qualifying merchants, all merchants are still required to maintain on-going PCI DSS compliance. Acquirers retain full responsibility for merchants’ PCI DSS compliance, as well as responsibility for any fees, fines or penalties, which may be applicable in the event of a data breach.