Visa Waives PCI Assessment For Chip-And-PIN Users Outside The U.S., Tweaks U.S. For Payment Law
Written by Evan SchumanVisa on Wednesday (Feb. 9) rolled out a new security program to push global use of EMV technology, which Visa is no longer calling Chip-and-PIN, opting to instead use the even less-catchy “chip and dynamic data authentication.” The program will allow retailers who push at least 75 percent of their transactions through EMV to avoid the always fun-filled annual PCI DSS revalidation assessment.
Alas, the program is not being offered for U.S. retailers. Even though such an exclusion requires little explanation beyond the obvious (no U.S. retailer is using EMV in meaningful numbers, nor have any said they would any time soon), Visa took the opportunity to not-so-subtly attack Congress and the White House for new payment card regulations.
“Despite industry interest in chip and dynamic data authentication, the program is not currently available in the United States because recent debit card regulation has cast uncertainty in the marketplace,” a Visa statement said, without specifying the nature of the industry interest. There’s been a lot of retailer interest, for example, but that hasn’t translated into meaningful retail deployments.
The statement then offered a quote from Bill Sheedy, a Group Executive for the Americas at Visa, who said the legislation would make banks stop R&D projects.
“With the United States facing government price controls on debit and restrictive routing and exclusivity rules, it is not feasible or appropriate to drive the market toward major infrastructure investments, especially in an environment where financial institutions could lose billions in revenue as a result of the regulation,” Sheedy said. “With such a dramatic potential for revenue loss, financial institutions will likely curtail investments in future innovations.”
Isn’t it just as likely that financial institution executives will push for more such investments, because they hope to find technology that will deliver less expensive and more efficient ways of doing what they need to do? Besides, did bank investment projections actually have anything to do with the decision to not deploy an EMV program in a country with almost no EMV?
Either way, Visa did offer the possibility of adding the EMV program to the U.S. some day. “Visa may consider implementation of [the program] in the United States at a later date based on evolving environmental circumstances,” said a Visa Bulletin. Is that a reference to increased EMV acceptance among retailers or the government’s embrace of a series of more Visa-friendly payment rules? (Yeah, we’ll vote for marketshare, too.)
The global program itself is called the Technology Innovation Program (TIP) and has fairly straightforward requirements: “Terminals must be enabled for contact or dual contact and contactless interface chip acceptance. All merchants outside of the United States are eligible and may begin qualifying for the new program from March 31, 2011. Visa Europe has announced a similar program.”
-Marc
February 10th, 2011 at 8:29 am
Yesterday’s Visa announcement is indeed of very limited value – even outside of the U.S. where EMV is widely deployed. In my experience, the only PCI-related discussion that will help motivate retailers to voluntary action is one that offers the possibility of completely removing parts of their payment processing systems from PCI DSS scope. Visa’s position that the EMV-enabled retailer must still adhere to PCI DSS undermines the business case to a retailer – for it’s not PCI DSS validation that is so difficult for retailers (although, to be sure, it doesn’t help), it’s having to achieve (and then maintain) PCI DSS compliance in the first place. That’s why I believe the possibility of progressing P2PE as outlined in the PCI SSC white paper last fall is so important – in my opinion, merchants will absolutely respond and implement something like P2PE if it offers the promise of taking everything in between the end points out of PCI DSS scope once and for all.