Last week, Visa announced a new Payment Card Industry Data Security Standard (PCI DSS) compliance program that will fuel dynamic data authentication.
This will mean that merchants will not need to validate their compliance with the Payment Card Industry Data Security Standard (PCI DSS) if at least 75% of the merchant’s annual Visa card transactions originate on smartcard-enabled terminals.
To qualify for the program, merchants need to have payment terminals that are compliant with the Europay, MasterCard and Visa (EMV) smartcard standard and are also equipped to accept both contact-based and contactless transactions.
Payment cards based on the EMV standard use an embedded microprocessor instead of a magnetic stripe to store cardholder data and all of the other information needed to use a card for a transaction.
Each time an EMV-compliant card is swiped at a compliant payment terminal, a unique one-time number that validates the authenticity of the card is created and sent to the card issuer along with the transaction request.
This kind of a dynamic data-authentication technology is designed to protect against fraud resulting from the use of cloned cards. It is aimed at making it pointless for credit card thieves to steal card data and make counterfeit cards with it, because the cards wouldn’t work without authentication.
The technology is widely used around the world and has proved to be effective in reducing some kinds of credit card fraud.
“Visa has repeatedly underscored the need for authentication solutions to move to dynamic data technologies such as EMV chip,” said Ellen Richey, Chief Enterprise Risk Officer, Visa Inc. “Although Visa’s global fraud rate remains at an all-time low of less than 6 pennies out of every $100 transacted, we believe the future of security lies in dynamic data. Our experience suggests that as markets move to chip they become less vulnerable to counterfeit fraud and, ultimately, to mass data compromise attacks.”
Visa’s new program is both a recognition of the effectiveness of the technology and an incentive to spur faster adoption of it, said Eduardo Perez, head of global payment system security at Visa. “We believe this program acknowledges and incents adoption of chip-enabled terminals by merchants,” Perez said.
Under the program, merchants still will be required to be compliant with PCI requirement but will no longer have to prove that they are compliant. PCI compliance assessments and audits have been a big drain on IT time and resources for the past several years, so any step that eliminates the need for them to prove compliance is likely to be welcomed by merchants.
“Visa’s program makes eminent sense for merchants,” said Avivah Litan, an analyst at Gartner. Merchants in some regions of the world have made considerable investments, or are making them right now, to upgrade their payments systems to EMV technologies, Litan said.
“If the cards are secure and the data cannot be used even if stolen, and there is no need to worry about data at rest or auditing data at rest, then there is no need for PCI,” she said.
Litan said that Visa’s program is a good incentive for countries that are in the midst of upgrading their payment systems. But for it to be really meaningful, others card issuers such as MasterCard, American Express and Discover will also need to waive the need for PCI compliance validation for such merchants, she added.
International merchants may qualify for the program if they have either previously validated PCI DSS compliance, or provided a plan to come into compliance, and if they have not been involved in a recent material breach of cardholder data. Merchants involved in a compromise will be eligible for participation subject to subsequent PCI DSS compliance validation. Merchants that do not meet the program’s EMV terminalization requirements, including merchants whose transaction volume is primarily from eCommerce and MO/TO acceptance channels, are still required to validate their PCI DSS compliance annually in accordance with Visa compliance programs. Qualifying merchants must continue to protect any sensitive data that remains in their care by ensuring their systems do not store track data, security codes or Personal Identification Numbers (PINs), and that they continue to adhere to the PCI DSS standards as applicable.