Visa Excludes U.S. Merchants to Spur Secure Card Adoption
Visa has excluded U.S. businesses from a worldwide program that spurs merchants to deploy more secure payment terminals, because of what it claims is the uncertainty surrounding new debit card rules.
On Wednesday, Visa announced that it will soon stop requiring merchants outside the U.S. to validate their compliance with the Payment Card Industry Data Security Standard (PCI DSS) if at least 75% of the merchant's annual Visa card transactions originated on smartcard-enabled terminals.
To qualify for the program, merchants need to have payment terminals that are complaint with the Europay MasterCard Visa (EMV) smartcard standard and are also equipped to accept both contact-based and contactless transactions. However, U.S merchants that meet these requirements will still be required to validate PCI compliance.
Payment cards based on the EMV standard use an embedded microprocessor instead of a magnetic stripe, to store cardholder data and all of the other information needed to use the card for a transaction.
Each time an EMV-compliant card is swiped at a compliant payment terminal, a unique one-time number that validates the authenticity of the card is created and sent to the card issuer along with the transaction request.
This kind of a dynamic data authentication technology is designed to protect against fraud resulting from the use of cloned cards. The technology is aimed at making it pointless for credit card thieves to steal card data and make counterfeit cards with it, because the cards wouldn't work without authentication.
The technology is widely used around the world and has proven to be effective in reducing some kinds of credit card fraud. However, use of the technology in the U.S. lags far behind .
Visa's new program is both recognition of the effectiveness of the technology and an incentive to spur faster adoption of it, said Eduardo Perez, head of global payment system security at Visa. "We believe this program acknowledges and incents adoption of chip-enabled terminals by merchants," Perez said.
Under the program, merchants still will be required to be compliant with PCI requirement but will no longer have to prove they are compliant. PCI compliance assessments and audits have been a big drain on IT time and resources for the past several years , so any step that eliminates the need for them to prove compliance, is likely to be welcomed by merchants.
"Visa's program makes eminent sense for merchants," said Avivah Litan, an analyst with Gartner. Merchants in some regions of the world have made considerable investments or are making them right now, to upgrade their payments systems to EMV technologies, Litan said.
"If the cards are secure and the data cannot be used even if stolen, and there is no need to worry about data at rest or auditing data at rest, then there is no need for PCI," she said.
Litan said that Visa's program is a good incentive for countries that are in the midst of upgrading their payment systems. But for it to be really meaningful, others such as MasterCard, American Express and Discover will also need to waive the need for PCI compliance validation for such merchants, she added.
Perez said Visa is unable to extend the program to the U.S however because of the uncertainties created by proposed debit-card restrictions by government.
The new rules, which are scheduled to be finalized in April, will among other things, cap the fees that debit card issuers can charge merchants for card transactions.
The rules as proposed are expected to substantially cut into the profits being made on card transactions by banks and credit card companies.
Perez did not explain why that fact would have any direct bearing on Visa's decision not to extend its new incentive program to U.S. merchants. However, a statement released by Visa announcing the new program suggests that the decision may be tied to concerns that financial institutions will be unwilling to make EMV technology investments at a time when they are likely to lose billions in revenues.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org .
Read more about security in Computerworld's Security Topic Center.