Visa announced a global compliance program for the card industry’s key security standard. But many issues remain, including unclear European deadlines and the treatment of merchants that have chip card processing in place.
On 10 November 2008, Visa announced new global standards for compliance with the Payment Card Industry Data Security Standard (PCI DSS) designed to create a consistent worldwide framework for compliance by merchants, service providers and others. The new standards include a global set of requirements for merchants accepting Visa payments to validate compliance with PCI DSS, deadlines for the largest merchants to achieve validation, and deadlines for large and mid-level merchants to demonstrate that they are not storing certain types of sensitive card data. The new deadlines and processes do not, however, apply to European merchants and service providers.
The Visa announcement provides some much-needed clarification for the PCI DSS compliance and validation process for some merchants and service providers outside the United States. Visa merchants and service levels are aligned across most world regions, and deadlines and requirements have been set for demonstrating PCI DSS compliance. Nonetheless, several critical PCI DSS questions remain:
Moreover, many of the affected merchants and processors in the different global regions (including Latin America and Asia) — unlike their counterparts in the United States — have already spent considerable sums upgrading their infrastructure to support card brand mandates to roll out chip and personal identification number (PIN) cards. These same companies must now begin the often-costly PCI compliance process. Merchants Gartner has consulted believe they should be granted some type of compensation (in the form of reduced PCI compliance requirements or extended deadlines) for their chip and PIN support. Visa has indicated that some limited compensation is available to the largest European (Level 1) retailers, whose acquirers may, at their discretion, recategorize them to Level 2 if they have successfully deployed Europay, MasterCard and Visa (EMV) Chip and PIN, and EMV chip cards are encoded with iCVV (card verification value for integrated circuit cards).
Merchants and service providers:
All card brands: