Merchants like to gripe about the Payment Card Industry data-security standard, but in an era of data breaches and rapidly changing payment technology, Visa Inc. thinks a strict approach to the rules of card acceptance is needed more than ever. The largest payment card network is expected to roll out a new PCI enforcement plan targeting large merchants and processors beginning Jan. 1.
An Oct. 21 Visa bulletin obtained by our sister publication Digital Transactions News outlines a detailed plan to begin noncompliance assessments of Level 1 and Level 2 merchants and of service providers without PCI remediation plans. Level 1 merchants process more than 6 million annual Visa transactions; Level 2 sellers, from 1 million to 6 million. Visa did not respond to a request for comment about the bulletin.
Jan. 1 also is the start date for compliance with version 3.0 of the PCI DSS, says Greg Rosenberg, security engineer at Chicago-based security-assessment and technology firm Trustwave Holdings Inc. The bulletin signals there will be more enforcement of existing rules, he says. The card networks enforce the PCI standard mainly through merchant acquirers that deal directly with merchants.
The program applies to “VisaNet processors and third-party agents that store, process, or transmit cardholder data …” the bulletin notes.
Merchants not qualifying for Visa’s Technology Innovation Program (TIP) also fall under the new program’s focus. TIP eliminates the requirement for eligible merchants to annually validate their compliance with the PCI DSS for any year in which at least 75% of the merchant’s Visa transactions originate from terminals that accept Europay-MasterCard-Visa (EMV) chip cards.
For those processors between one and 60 days overdue on compliance, Visa will mark in yellow the organization’s listing in the Visa Global Registry of Service Providers. The entities also must notify their merchants and agents of the overdue status. After 61 days, the entry is marked in red. Organizations prefer their entries have no background color at all.
As the number of overdue days increases, Visa could take other action, including removal from the registry of service providers, and may assess monthly penalties after 91 days.
The bulletin did not disclose the penalty amounts, but Visa’s Core Rules document says penalties for a first violation of Visa’s Cardholder Information Security Program (CISP) could cost as much as $50,000, and as much as $200,000 for three or more violations.
Visa is less patient with processors that have never shown evidence of PCI compliance, requiring them to notify their merchants and agents immediately of that fact. Penalties under this program can begin as soon as 31 days have passed.
Visa wants merchants and payment-services companies to validate their PCI compliance by providing the name of the qualified security assessor (QSA) performing the validation testing and the planned date of validation.
That’s a critical element, according to Rosenberg. “In many situations the card brands have no direct connection with service providers, like Web-hosting companies or payment gateways,” Rosenberg says.
The only way Visa or another card brand will learn about them is if the merchant flags the provider in their self-assessment filings, he says. “They’re trying to close the loop more directly.”
Whether it’s service providers or merchants, PCI compliance should be viewed as a baseline for securing payment data, Rosenberg says. He advocates a risk-based approach, one that entails an examination of any data, not just payment card data, that a criminal might seek, such as email addresses, birth dates, and family information.
“PCI doesn’t apply to these other pieces of data,” Rosenberg says. “[But] merchants still hold a lot of liability when it comes to this information.”
—Kevin Woodward