Visa To Offer Cash Rewards For Retail PCI Compliance

Written by Evan Schuman
December 12th, 2006

In a strong concession that fines have not worked in getting retailers to comply with credit card security rules, Visa has switched course and has dedicated $20 million for a fund to reward retailers who actually comply with industry-accepted PCI rules by Aug. 31, 2007.

“This is absolutely a different tactic,” said Jennifer Fischer, a director with Visa USA, which is the nation’s largest payment system company. “We believe that incentives are necessary to achieve compliance. This is the first time a payment card brand has used positive incentives” to encourage security compliance.

The need for such a change is clear, as the pain/punishment tactic has been ineffective, with Visa confirming on Tuesday that only 36 percent of their largest merchants?the Level One retailers?have complied and that number drops to a mere 15 percent for Level 2 merchants. “It’s clearly not where we want to be,” said Eduardo Perez, Visa’s VP for payment system risk.

Level 3 compliance is at “approximately 30 percent and another 30 percent havecompleted the initial assessment” while Level 4 includes about six million retailers and has been a recent focus “so we don’t have statistics to break down yet,” Fischer said.

Fischer said the new program?called the Visa PCI Compliance Acceleration Program (PCI CAP)?will give the money to acquiring banks who “will determine the distribution of funds,” which means not all?nor necessarily any?of the money will actually get into the hands of the retail IT departments responsible for delivering the PCI compliance.

The program’s stated goal is “to eradicate the storage of full-track data, CVV2 and PIN data,” according to a statement issued Tuesday by Visa.

To qualify for an incentive payment, acquirers of Level 1 and 2 merchants who have validated full PCI compliance by March 31, 2007 will be eligible to receive a one-time payment for each qualifying merchant. Acquirers whose Level 1 and 2 merchants validate compliance after March 31, 2007, and prior to August 31, 2007 will be eligible to receive a reduced one-time payment for each qualifying merchant.

Acquirers will also be required to validate Level 1 and 2 merchant compliance with PIN security standards. Specifically, Visa said, merchants must not use payment devices, such as PIN pads, that “are known to be vulnerable to compromise and that merchants use unique encryption keys for every device. Additionally, acquirers must demonstrate the establishment of a comprehensive compliance program for Level 3 and 4 merchants.”

To further get retailers’ attention, Visa is also withholding lower credit card interchange rates for those who do not get PCI compliant as of Oct. 1, 2007.

Visa officials also released updated stats on their stick (versus carrot) efforts, saying that 2006 has seen $4.6 million in fines levied, which is roughly 35 percent more than last year’s total fines of $3.4 million.

Mark Rasch, a former federal prosecutor specializing in white collar crimes and now a retail security consultant, said the reward system Visa announced is a good first step as it’s the more complicated and sophisticated response to the PCI compliance problem. “It’s a lot easier to punish someone for a failure than to come up with a metric for success,” he said.

But he had two concerns. The first is whether the new compliance will actually make retailers and their consumers any safer. “The problem is that the definition is being PCI compliant. Being secure is not the same as being compliant,” he said. “Security is usually the bastard stepchild of IT. It’s an afterthought.”

His second concern is that the incentives are not being paid directly to retailers. “It’s out of whack, between the people who mess up and those who have liability,” he said.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.