Visa’s Global PCI Effort: Small Carrot, No Stick

Written by Evan Schuman
November 14th, 2008

GuestView Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

Visa, long the key driver of compliance with the PCI security standards, is helping to clear up merchant and service provider confusion regarding the global deadlines for PCI DSS compliance. Sept. 30, 2009, is the date when "global merchants and service providers" (who operate in more than one of the Visa-defined regions) must attest that they do not store full magnetic stripe data (track data), security codes or PIN data after transaction authorization.

Sept. 30, 2010, is the date by which all service providers and Level 1 merchants have to submit reports on compliance.

  • The significance of the announcement

    These deadlines will have the most impact in the Asia Pacific and Rest of World regions, since North American and European deadlines were earlier, and these new deadlines do not supersede the prior deadlines. (Editor’s Note: As one Visa person commented, the situation is quite different in Central Europe, the Middle East and Africa: "There are no Level 1s there so it’s not an issue.") QSAs and service providers who do business in AsiaPac say they have been looking for greater clarity on the deadlines to help drive interest in PCI compliance. But this is obviously only the first of a series of announcements.

    For example, the announcement only covers the prohibited data storage deadlines for Level 1 and 2 merchants and the compliance deadlines for Level 1 merchants. This announcement also collapses the service providers into two levels (with a 300,000 transaction break point), from the three that had been in use (and are still used in official standards documents).

  • How important is PCI compliance quality assurance?

    In the last year, there have been enough complaints about the PCI compliance review process to prompt the PCI Security Standards Council to create and publicize a new Quality Assurance process, which has the mission of doing detailed reviews of Reports on Compliance. But in its announcement of global compliance deadlines, there is the surprising statement that "Visa will only require submission of an executed Attestation of Compliance Form and the �Executive Summary’ section of the service provider’s Report on Compliance (ROC) to demonstrate full PCI DSS compliance as a Level 1 service provider."

    One possible implication of this is that Visa wants to ease the compliance process to get more service providers outside the U.S. on board, presumably hoping that once they have paid the typical $10,000 to $50,000 to a QSA for the review and the $5,000 annual registration fee to Visa, they will believe that this will give them "a competitive edge in promoting their services to Visa’s global network of financial institutions and merchants." Visa is also hoping, one would guess, that these service providers will have a strong vested interest in promoting PCI compliance to the global merchant community.

  • Where are the penalties?

    In the "compliance business," two things are very important: deadlines and penalties for not meeting those deadlines. The Visa announcement addresses the first point, so we can expect that a future announcement will include clarification of the penalties for non-compliance, by merchant and service provider level. However, because the penalties are imposed through the acquiring banks, we must assume that Visa is still in the process of negotiating the fines and the process of imposing them with its member banks, particularly in Asia. Deadlines and penalties for Level 2, 3 and 4 merchants will also need to be spelled out in a future announcement.

  • Where are the banks?

    Perhaps the key driver of the success of the PCI DSS compliance efforts in the United States has been the coercive power of the Visa and MasterCard member banks, because of the banks’ contractual relationship with the merchants. This model of passing PCI compliance mandates from the card brands to the banks and from the banks to the merchants has also been reasonably successful in Europe.

    But Asia has lagged behind. While it could be part of Visa’s global "rollout" of PCI, region-by-region, Asia may also be lagging because of its more "merchant-bank-centric" business model. In Japan, this is known as a keiretsu. And although the term has faded from general usage as the Asian markets have evolved, the banking industry in most Asian markets is very dominant and relationships between merchant banks and larger merchants tend to be long-lasting.

    The point is that Visa needs to identify the right combination of positive and negative incentives to convince banks to leverage the "coercive potential" inherent in their close relationships with the Asian merchant community.

  • The Bottom Line

    This announcement has been needed for a while. The list of Asian service providers, referenced in the Asian version of the Visa announcement, indicates that most have been compliant for over a year. However, as we’ve heard in our interviews with Asian-based companies, they have been waiting for announcements that will push the merchant community to drive interest in compliance. Despite the global economic meltdown, this announcement should at least get some in the Asian merchant community to focus more on PCI compliance.

    If you want more information on this topic, the
    PCI Knowledge Base is hosting a Webinar on Global PCI Compliance on November 18. The main speaker will be Howard Glavin, the lead QSA for IBM’s ISS security compliance team, who really knows the Asian (and the global) PCI business. Finally, we have a discussion forum about global compliance issues and another called "Ask a QSA." If you’re a retailer, we want to get you involved in the PCI Best Practices study we’re doing with the National Retail Federation. It’s 100 percent anonymous. Just send us an E-mail at

  • advertisement

    Comments are closed.


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.