International Merchants with EMV no longer need to have PCI Compliance validated



From Visa Bulletin today: Visa Introduces Technology Innovation Program for Merchants, Visa announces that:

Effective 31 March 2011, Visa will allow qualifying merchants outside of the United  States to discontinue their annual Payment Card Industry Data Security Standard (PCI DSS) revalidation assessment.

Note that this doesn’t mean that if you use EMV you are exempt from PCI Compliance (more on this below)

It is nice to see that Visa is rewarding investments in EMV and Card Authenication with a potential of lower PCI compliance costs:

Many merchants have invested time and money in the purchase, deployment and enablement of EMV POS terminals. These merchants have also invested in annual PCI DSS compliance assessments, which may require the use of a Qualified  Security Assessor and can be a significant expense. Visa is introducing the Technology Innovation Program to assist merchants in reducing the costs associated with annual PCI DSS validation.

If you are a non-US merchant and perform the following you are a qualified merchant:

1. The merchant must have validated PCI DSS compliance previously or have submitted to Visa (via their acquirer) adefined remediation plan for achieving compliance based on a gap analysis.

2. The merchant must have confirmed that sensitive authentication data (i.e., the full contents of magnetic stripe CVV2 or PIN data) is not stored, as defined in the PCI DSS.

3. At least 75 percent of the merchant’s transaction count must originate from enabled chip-reading device terminals (i.e., contact and/or dual interface contact/contactless terminals).

4. The merchant must not be involved in a breach of cardholder data. A breached merchant may qualify for TIP if it has subsequently validated PCI DSS compliance.

What about US Merchants ?

Visa has this to say about this program in the United States:

Despite industry interest in chip and dynamic data authentication, the program is not currently available in the United States because recent debit card regulation has cast uncertainty in the marketplace. Visa Inc. may consider implementation of TIP in the United States at a later date based on evolving environmental circumstances.

I think this announcement adds a new dynamic in the form of a potential incentive as it relates to EMV adoption in the US. US Merchants may now, in the near future, have an incentive or a discount to consider for EMV implementation (assuming implementation of  EMV processing infrastructure) in the form of less annual PCI compliance validation costs in the form of on-site audits to offset implementation of new card acceptor devices and updated payment software to support EMV.

If I use EMV we don’t need to be PCI compliant !!!

This is a fallacy that I fear that will echo. This announcement relates to the validation of compliance, not for on-going compliance to the PCI DSS, as stated by Visa below:

Although Visa may waive the annual validation requirement for qualifying merchants, all merchants are still required to maintain on-going PCI DSS compliance. Acquirers retain full responsibility for merchants’ PCI DSS compliance, as well as responsibility for any fees, fines or penalties, which may be applicable in the event of a data breach.





Visa’s Misuse of Authorization Fee


As of October 1st 2009 Visa has started to charge a fee of $.045 per misused authorization.

Visa defines a misused authorization as:

Authorizations that are not followed by a matching clearing transaction (or in the case of a cancelled or timed out authorization, not properly reversed)

For MOTO and e-commerce merchants who use payment gateways there may be some changes to how they perform Auth and Capture type of transactions, especially if they Authorize the transaction at order time, and later Capture or Complete the transaction when they ship a product. Or more typically, perform a $1.00 authorization first with AVS and CVV2 data, and followed by an authorization for the total amount of purchase.

Many payment gateways may or may have authorization reversals, authorization voids, or other transaction types – you will need to work with your gateway to identify what transaction types need to be performed to “reverse” an authorization for a product that you do not ship. Or if your practice is to re-auth after 10 days, and let the original expire – you will be hit with the fee.

Visa also supports a new transaction type called Account Verification – which is a $0.00 authorization – which they hope merchants will used instead of misused authorizations.

For processors and large merchants with direct connections to Visanet or Payment Gateways – These entities will want to verify that their reversal processing addresses credit reversals in the time-out scenario.

Visa PIN Security Compliance Validation Training.

I’m off to Visa PIN Security Compliance Validation Training Session.

Visa is offering a series of one-day Visa Key Management Training sessions as well as a three-day Visa PIN Security Compliance Validation Training session that will provide up-to-date information on the secure management of cryptographic keys used in ATMs, point-of-sale (POS) PIN pads, encrypting PIN pads and hardware security modules. These sessions are for staff involved in the management or operation of devices that accept PINs, and for personnel who need practical knowledge about the elements of Data Encryption Standard (DES) cryptography and the management of secret encryption keys. In addition to the material covered in the one-day Visa Key Management Training session, the three-day Visa PIN Security Compliance Validation Training session offers an in-depth review of the Payment Card Industry (PCI) PIN Security Requirements, providing internal and external assessors with the tools necessary to complete a PCI PIN security compliance review.

Should be fun.

Visa’s mobile payment services

According to CNet and a few Visa Press Releases:

We see a P2P like money transfer service for card and mobile phone holders:

Under a pilot program with U.S. Bank, which is scheduled to begin by the end of the year, Visa will offer mobile money transfers from one Visa cardholder’s account to another. A U.S. Bank Visa cardholder would use a Web browser on their phone to access funds and transfer it directly to the recipient’s account. The recipient could then withdraw the funds from an ATM machine, or use the money to make purchases.

and working will cell phone manufactures Google Android Platform.

The Visa-Android deal calls for Chase Visa cardholders to use their Android phone for not only transferring money, but also to receive real-time email alerts when transactions happen on their Visa account, receive offers from merchants, and view images on Google maps to find the location of those merchants who are offering the specials. The Google-Visa deal is expected to begin sometime by the end of the year.

and we begin to see the merging between the card and a phone as a contact-less payment vehicle at the point-of-sale.

The Nokia 6212 classic includes integrated Near-Field Communications chipsets (NFC) which lets the mobile device behave like a contactless payment card, where consumers simply wave it within a few inches of a special point of sale reader to complete a Visa transaction. Nokia and Visa first demonstrated NFC technology in December 2005 with the launch of the first large scale NFC trial in the United States at the Phillips Arena in Atlanta.