Digital Transactions Authoritative, insightful and timely information for payments professionals
In response to pleas from merchant acquirers, Visa Inc. this month modified a deadline in its program to get small merchants into compliance with the Payment Card Industry data-security standard, a program the leading payment card network announced to acquirers in October.
The change affects the usage of qualified integrators and resellers, or QIRs—the companies that install point-of-sale terminals and integrate business-management software for use with POS terminals and payment applications. The updated requirements say that effective March 31, acquirers must communicate to their so-called Level 4 merchants that beginning Jan. 31, 2017, they may use only QIRs that have been certified by the PCI Security Standards Council, the organization that oversees the PCI DSS and its related standards, to install POS terminals and software.
The Oct. 29 announcement said that as of March 31 acquirers were to have required that all newly boarded Level 4 merchants use only certified QIRs.
A related deadline, effective Jan. 31, 2017, associated with the requirement that acquirers are to ensure that all Level 4 merchants enlisting third parties use only certified QIRs, has not changed. Nor has the requirement, also effective Jan. 31 of next year, that acquirers must ensure that their Level 4 merchants validate their PCI DSS compliance annually.
The requirements apply to U.S. and Canadian acquirers. Level 4 merchants, which generate 1 million or fewer Visa transactions annually, or fewer than 20,000 e-commerce transactions, account for more than 90% of the North American card-accepting merchant base and about 93% of all data breaches, according to Visa figures. The U.S. and Canada are the two countries that have experienced the largest number of small-merchant data breaches, Visa says.
Eduardo Perez, senior vice president of payment system risk, says that after the Oct. 29 bulletin came out, acquirers reported they “needed more time to communicate with their merchants” about the topic of QIRs. “We got a bit of feedback from the acquiring community,” Perez tells Digital Transactions News, adding that making the adjustment on the QIR deadline “was a reasonable” course of action for Visa.
According to Visa, some 80% of small-merchant data breaches involve faulty POS installations, integrations, and servicing by third parties. “Principally, insecure remote access or insecure or common passwords” are to blame, says Perez. Sometimes, vendors even use common access credentials and passwords that enable hackers to install malware on multiple merchants’ POS systems.
Meanwhile, Visa added to the January update details about the Level 4 merchant PCI plan that weren’t in the October bulletin. For example, in a new frequently-asked-questions section, Visa says it will not “proactively enforce the provisions on an individual merchant level.”
Instead, Visa will closely monitor the bi-annual reports that acquirers submit to it and update the report template to capture new data elements so that acquirers can manage their merchant programs in accordance with Visa requirements. “We’re not looking at the individual merchant level, but across the acquirer’s portfolio,” says Perez.
As did the October bulletin, Visa’s update notes that acquirers can avoid annual validation of PCI compliance by their Level 4 merchants if the merchants qualify for the network’s Technology Innovation Program (TIP). That program calls for merchants to submit at least 75% of their Visa transactions through EMV chip card-reading terminals, or through a PCI Council-validated point-to-point encryption system.
Here, too, Visa will look across portfolios and not require individual merchant applications for TIP participation. Perez would not give numbers, but he expects more and more merchants will qualify as they install EMV chip card acceptance in the wake of the card networks’ October 2015 liability shifts, and still others add point-to-point encryption services. “We do expect to see a significant uptake in the adoption of those technologies,” he says.
In addition, Visa considers single-use terminals without Internet connectivity as low-risk and may exclude them from the requirements. Once dominant, these dial-up terminals are found at an ever-decreasing number of merchants.
Although individual merchants may not necessarily need individual PCI compliance validation, acquirers of merchants that do experience data breaches could still incur “non-compliance assessments,” or fines, from Visa. Acquirers usually pass such fines on to their merchants. And if the work of a QIR is found to be at fault, that QIR could be de-listed from the PCI Council’s endorsed list.
Visa says it is working with the Wakefield, Mass.-based PCI Council to increase the number of listed QIRs.
