Visa Tightens the PCI Harness

Visa Inc. wants small merchants to confirm that they follow the security rules by which larger merchants must abide. The big card network says that beginning Jan. 31, 2017, merchant acquirers must annually validate compliance by their so-called Level 4 merchants with the Payment Card Industry data security standard.

Other new requirements involve qualified integrators and resellers, or QIRs. These are entities that install and integrate business-management software for use with point-of-sale terminals and payment applications.

Visa says that effective March 31, U.S. and Canadian acquirers are to inform their Level 4 merchants that beginning Jan. 31, 2017, they may only use QIRs that are certified by the PCI Security Standards Council, the non-profit that oversees the PCI DSS and its related standards, to install POS terminals and software. Come Jan. 31, acquirers must ensure that small merchants using third parties for POS services are abiding by the new rule.

The new requirements are spelled out in an Oct. 29, 2015, Visa security bulletin and a January update that gave acquirers and merchants more time to meet the QIR requirements. A Visa spokesperson was unavailable for comment on the revision.

“Using QIR companies provides small merchants some protection against a common vulnerability exploited by criminals,” the October bulletin says. “However, this alone will not prevent small-merchant compromises. As such, Visa is expanding its PCI DSS validation program to include Level 4 merchants.”

Visa is trying to fill two well-known security holes. One hole has to do with the heightened risk of small-merchant breaches. The other gap involves small merchants’ reliance on tech vendors that include payments as part of larger point-of-sale installations.

Level 4 merchants, the smallest among the four tiers by which Visa ranks merchants, are businesses that process up to 1 million Visa transactions annually, or fewer than 20,000 Visa e-commerce transactions. Level 4 merchants represent more than 90% of the 5-million-plus card-accepting merchants in the U.S., and they account for a proportionate share of data breaches.

Unlike breaches at Level 1 merchants such as Target Corp. or The Home Depot Inc., the small breaches at Level 4 businesses rarely make headlines, but collectively they present a big security headache.

All card-accepting merchants must comply with the PCI rules, but only big and medium-sized ones currently must validate their compliance through annual tests. Until now, Visa has left validation of Level 4 merchants up to the acquirer.

The bulletin notes that acquirers can avoid the new annual validation requirement if they participate in Visa’s incentive program to grow EMV chip card payments. Dubbed the Technology Innovation Program, or TIP, the program says a merchant does not need annual PCI validation if it submits at least 75% of its Visa transactions through EMV terminals or a PCI Council-validated point-to-point encryption solution, and does not store sensitive cardholder data after transaction authorizations.

Visa has never publicly stated small merchants’ PCI compliance rate, usually terming it as “moderate,” but the Merchant Acquirers’ Committee, a trade group that tracks acquiring risk, has estimated it at 39%.

At the same time, because of their lack of technical expertise, small merchants often rely on tech providers to protect their POS terminals and back-office networks. These providers sometimes do slipshod work.

But many such companies, including value-added resellers (VARs) and integrated software vendors (ISVs), are coming into the payments realm because merchants increasingly want POS applications that do much more than simply process card transactions.

Visa and the PCI Council offered an incentive for VARs and ISVs to become QIRs. Companies that enrolled in a Visa QIR training program by the end of 2015 could receive a discounted price of $197.97 per person, the bulletin says. The standard price wasn’t listed.

While the new PCI validation requirement could affect millions of merchants, Dallas-based payment-security consultant Branden R. Williams doesn’t see Visa’s changes as radical.

“I see this as more of a nudge than a massive policy shift,” Williams says by email. “Visa—and the other payment brands—have always said that Level 4 merchants must be compliant but were only recommended to validate.

“I see this impacting acquirers who have not built merchant-compliance programs more than those who have,” says Williams. “In this case, the nudge from Visa may be to push acquirers and merchants into products and services that qualify for the Technology Innovation Program.”

—Jim Daly