Gartner – Visa sets Global PCI deadline

Visa announced a global compliance program for the card industry’s key security standard. But many issues remain, including unclear European deadlines and the treatment of merchants that have chip card processing in place.

On 10 November 2008, Visa announced new global standards for compliance with the Payment Card Industry Data Security Standard (PCI DSS) designed to create a consistent worldwide framework for compliance by merchants, service providers and others. The new standards include a global set of requirements for merchants accepting Visa payments to validate compliance with PCI DSS, deadlines for the largest merchants to achieve validation, and deadlines for large and mid-level merchants to demonstrate that they are not storing certain types of sensitive card data. The new deadlines and processes do not, however, apply to European merchants and service providers.

Analysis

The Visa announcement provides some much-needed clarification for the PCI DSS compliance and validation process for some merchants and service providers outside the United States. Visa merchants and service levels are aligned across most world regions, and deadlines and requirements have been set for demonstrating PCI DSS compliance. Nonetheless, several critical PCI DSS questions remain:

  • Visa deadlines and processes will be different in Europe, because Visa Europe is an independent licensee of Visa international. The absence of published deadlines for European companies leaves that region in its current confused state of PCI compliance.
  • Although Visa has once again taken the lead among card brands in moving the PCI compliance process forward, Gartner is not aware of any similar transparent global enforcement efforts or deadlines announced by American Express, Discover, JCB or MasterCard.

Moreover, many of the affected merchants and processors in the different global regions (including Latin America and Asia) — unlike their counterparts in the United States — have already spent considerable sums upgrading their infrastructure to support card brand mandates to roll out chip and personal identification number (PIN) cards. These same companies must now begin the often-costly PCI compliance process. Merchants Gartner has consulted believe they should be granted some type of compensation (in the form of reduced PCI compliance requirements or extended deadlines) for their chip and PIN support. Visa has indicated that some limited compensation is available to the largest European (Level 1) retailers, whose acquirers may, at their discretion, recategorize them to Level 2 if they have successfully deployed Europay, MasterCard and Visa (EMV) Chip and PIN, and EMV chip cards are encoded with iCVV (card verification value for integrated circuit cards).

Recommendations

Merchants and service providers:

  • Continue to focus on strengthening cardholder data security first, because PCI compliance will follow by default.
  • Begin securing your cardholder data and systems now, and do not wait for your acquiring bank to contact you about PCI compliance.

Visa Europe:

  • Publish deadlines and processes for European companies that must comply with PCI standards.

All card brands:

  • Strengthen the security of the payment system by recognizing that magnetic stripes on cards will not go away until all countries and cardholders move to chip and PIN, and by adding cardholder authentication to magnetic-stripe cards
  • Create a new Self-Assessment Questionnaire with further-reduced PCI DSS compliance requirements for merchants who have upgraded to chip and PIN infrastructure and are not storing any electronic cardholder data.

visa_sets_global_pci_deadlin_163330.pdf (application/pdf Object).