This is page 2 of:
Visa Waives PCI Assessment For Chip-And-PIN Users Outside The U.S., Tweaks U.S. For Payment Law
The statement offered a rather robust defense of EMV security. “Visa has repeatedly underscored the need for authentication solutions to move to dynamic data technologies such as EMV chip,” said Ellen Richey, Chief Enterprise Risk Officer at Visa Inc. “Although Visa’s global fraud rate remains at an all-time low of less than 6 pennies out of every $100 transacted, we believe the future of security lies in dynamic data. Our experience suggests that as markets move to chip they become less vulnerable to counterfeit fraud and, ultimately, to mass data compromise attacks.”
Retailers under the program would certainly not be rid of PCI requirements. Merchants must have validated PCI compliance before entering the program and must still comply with all PCI rules. The merchant can not have been involved in a breach of cardholder data.
A Visa Bulletin makes explicit the need to maintain compliance. “Although Visa may waive the annual validation requirement for qualifying merchants, all merchants are still required to maintain on-going PCI DSS compliance. Acquirers retain full responsibility for merchants’ PCI DSS compliance, as well as responsibility for any fees, fines or penalties, which may be applicable in the event of a data breach. Visa reserves the right to require full PCI DSS validation of compromised entities,” the Bulletin said. “If risk conditions change dramatically, Visa may re-evaluate the need for merchants to validate PCI DSS compliance.”
PCI compliance is a hassle for retailers worldwide, but the U.S. has been pushing these issues the longest and, according to Visa, has much higher PCI compliance stats. For Level 1 chains in the U.S., for example, Visa reports that 96 percent are compliant. The same figure for Level 1 chains outside the U.S., according to Visa, is 76 percent. Both figures were current as of Dec. 31, 2010.
Wal-Mart made waves in May 2010, when it started a very public push to get other retail chains to start using EMV. Since then, though, no major chains have endorsed an EMV and Wal-Mart itself—even though its POS systems can now accept EMV transactions—has not recently done anything public to encourage EMV, other than with its stores bordering Mexico and Canada, two countries that do use EMV.
The problem is complicated and has more than a little bit of a chicken-and-egg dilemma, with retailers having little reason to embrace EMV until more consumers have it in their wallets. And without a retail push, few banks are pushing the issue on their own. Ironically, a program like TIP in the U.S. might have been just the thing to push both sides to make EMV happen. Is Visa letting politics and pride cloud its objective to push EMV in the U.S.?
-Marc
February 10th, 2011 at 8:29 am
Yesterday’s Visa announcement is indeed of very limited value – even outside of the U.S. where EMV is widely deployed. In my experience, the only PCI-related discussion that will help motivate retailers to voluntary action is one that offers the possibility of completely removing parts of their payment processing systems from PCI DSS scope. Visa’s position that the EMV-enabled retailer must still adhere to PCI DSS undermines the business case to a retailer – for it’s not PCI DSS validation that is so difficult for retailers (although, to be sure, it doesn’t help), it’s having to achieve (and then maintain) PCI DSS compliance in the first place. That’s why I believe the possibility of progressing P2PE as outlined in the PCI SSC white paper last fall is so important – in my opinion, merchants will absolutely respond and implement something like P2PE if it offers the promise of taking everything in between the end points out of PCI DSS scope once and for all.