Visa Inc. on Wednesday said it will relieve merchants outside the U.S.
of the requirement to validate compliance with the Payment Card
Industry data-security standard (PCI) if the merchants process at
least three-quarters of their Visa transactions from chip-enabled
terminals. In a busy day at the world’s largest payments network, Visa
also announced it is shelling out $190 million in cash to buy PlaySpan
Inc., a Santa Clara, Calif.-based processor of digital-goods
transactions, particularly so-called in-game payments.
The new PCI policy, intended as in incentive to speed up deployment of
so-called Europay-MasterCard-Visa (EMV) chip-and-PIN systems,
apparently represents the first time a major card network has offered
to lift the PCI-validation requirement from merchants’ shoulders since
data-security standard was introduced six years ago. Though effective
in combating data breaches if followed rigorously, PCI and its complex
rules often provoke protests from merchants trying to stretch scarce
resources over a wide range of functions.
But Visa is pointedly excluding the U.S. market from its new policy,
which it calls its Technology Innovation Program, citing uncertainties
created by the Durbin Amendment to the Dodd-Frank Act. That law, along
with implementing rules proposed by the Federal Reserve, will
drastically cut the debit card interchange income flowing to issuers.
While the amendment makes allowances for issuers’ fraud-fighting
expenses, how costs for EMV and other such technologies might
ultimately be incorporated into the Fed’s rules remains unclear. The
Fed released its proposal in December and is expected to issue final
rules by April 21.
Many regions of the world, including, most recently, Canada, have
rolled out or are starting to rollout EMV, a technology that
ultimately replaces magnetic stripes with chips that store and protect
cardholder credentials. A security technology that works with EMV, and
one that Visa has been heavily promoting, is dynamic data
authentication. With this technology, the chip transmits back to the
issuer a cryptographic message that authenticates the card as genuine.
The message changes with each transaction, so it is useless if
intercepted.
The Technology Innovation Program is intended to give merchants an
incentive to install and use EMV by relieving them of the costs and
hassles of PCI-compliance validation, Visa says. “It wasn’t prompted
out of concern for the rate of adoption, although we want to
accelerate the rate of adoption [among merchants] that have decided to
adopt EMV technology,” Eduardo Perez, head of global data security at
Visa, tells Digital Transactions News.
To qualify for the program, a merchant must have installed and enabled
chip-reading terminals. “The terminal has to be enabled, it can’t just
be capable,” says Perez. The merchant must also: have previously
validated its PCI compliance or have submitted a plan to do so; not
have sustained a data breach recently; not store card data; and comply
with PCI, even if it no longer has to prove that it does.
While leaving out the U.S. market might seem at first glance a glaring
omission, Perez says lack of clarity about how issuers’ security
investments will be allowed for against the Fed’s stringent debit card
interchange caps makes it difficult to ask banks to take on EMV costs.
Merchants would buy and install chip card readers, but banks would
have to issue chip cards to replace mag-stripe cards. Because of
Durbin, “it’s unfeasible at this point to move the [U.S.] market in
that direction,” Perez notes.
No comments:
Post a Comment