Visa Waives PCI Assessment For Chip-And-PIN Users Outside The U.S., Tweaks U.S. For Payment Law

Written by Evan Schuman
February 10th, 2011

Visa on Wednesday (Feb. 9) rolled out a new security program to push global use of EMV technology, which Visa is no longer calling Chip-and-PIN, opting to instead use the even less-catchy “chip and dynamic data authentication.” The program will allow retailers who push at least 75 percent of their transactions through EMV to avoid the always fun-filled annual PCI DSS revalidation assessment.

Alas, the program is not being offered for U.S. retailers. Even though such an exclusion requires little explanation beyond the obvious (no U.S. retailer is using EMV in meaningful numbers, nor have any said they would any time soon), Visa took the opportunity to not-so-subtly attack Congress and the White House for new payment card regulations.

“Despite industry interest in chip and dynamic data authentication, the program is not currently available in the United States because recent debit card regulation has cast uncertainty in the marketplace,” a Visa statement said, without specifying the nature of the industry interest. There’s been a lot of retailer interest, for example, but that hasn’t translated into meaningful retail deployments.

The statement then offered a quote from Bill Sheedy, a Group Executive for the Americas at Visa, who said the legislation would make banks stop R&D projects.

“With the United States facing government price controls on debit and restrictive routing and exclusivity rules, it is not feasible or appropriate to drive the market toward major infrastructure investments, especially in an environment where financial institutions could lose billions in revenue as a result of the regulation,” Sheedy said. “With such a dramatic potential for revenue loss, financial institutions will likely curtail investments in future innovations.”

Isn’t it just as likely that financial institution executives will push for more such investments, because they hope to find technology that will deliver less expensive and more efficient ways of doing what they need to do? Besides, did bank investment projections actually have anything to do with the decision to not deploy an EMV program in a country with almost no EMV?

Either way, Visa did offer the possibility of adding the EMV program to the U.S. some day. “Visa may consider implementation of [the program] in the United States at a later date based on evolving environmental circumstances,” said a Visa Bulletin. Is that a reference to increased EMV acceptance among retailers or the government’s embrace of a series of more Visa-friendly payment rules? (Yeah, we’ll vote for marketshare, too.)

The global program itself is called the Technology Innovation Program (TIP) and has fairly straightforward requirements: “Terminals must be enabled for contact or dual contact and contactless interface chip acceptance. All merchants outside of the United States are eligible and may begin qualifying for the new program from March 31, 2011. Visa Europe has announced a similar program.”


One Comment | Read Visa Waives PCI Assessment For Chip-And-PIN Users Outside The U.S., Tweaks U.S. For Payment Law

  1. Jim Huguelet Says:

    Yesterday’s Visa announcement is indeed of very limited value – even outside of the U.S. where EMV is widely deployed. In my experience, the only PCI-related discussion that will help motivate retailers to voluntary action is one that offers the possibility of completely removing parts of their payment processing systems from PCI DSS scope. Visa’s position that the EMV-enabled retailer must still adhere to PCI DSS undermines the business case to a retailer – for it’s not PCI DSS validation that is so difficult for retailers (although, to be sure, it doesn’t help), it’s having to achieve (and then maintain) PCI DSS compliance in the first place. That’s why I believe the possibility of progressing P2PE as outlined in the PCI SSC white paper last fall is so important – in my opinion, merchants will absolutely respond and implement something like P2PE if it offers the promise of taking everything in between the end points out of PCI DSS scope once and for all.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.