Thursday, August 11, 2011

Visa Supports EMV Cards - Can You Skip PCI Revalidation?

The two thoughts in the headline. While they might seem to be unrelated, actually are part of the same idea.

In case you missed it, Visa released four (!) bulletins on Tuesday about their plans to accelerate the acceptance of chip technology for both card and mobile device transactions. What follows is a brief discussion of each of the releases, links to the original docs, and a few editorial comments (as if you had to ask...).

The first bulletin describes Visa's plans to "accelerate the migration to contact and contactless EMV [named after the three organizations behind the standard: Eurocard, MasterCard, and Visa] chip technology in the United States." It is a great overview of Visa's strategy, explains the technology a bit, and links to the following three bulletins.

In a second bulletin, Visa describes the details, particularly incentives for merchants to upgrade their POS devices to process chip transactions. The carrot: "Visa will waive Payment Card Industry Data Security Standard (PCI DSS) compliance validation requirements to encourage merchant investment in contact and contactless chip payment terminals."

Wowsers...did Visa just say they were waiving PCI compliance!?! No, the did not say that. What Visa said was that effective October 2012, if a merchant (1) had validated its compliance in the last 12 months, (2) didn't store sensitive authentication data (like the security codes or mag stripe), (3) was not involved in a cardholder data breach, AND (4) processed at least 75% of their transactions on "dual-interface EMV chip-enabled terminals", they could participate in the Technology Innovation Program (TIP).

Under TIP, the merchant does not need to RE-VALIDATE compliance each year. You still have to be compliant, and if you get breached the same penalties presumably will apply, but you don't have to re-validate your PCI compliance.

This TIP program (already available in Europe) is what has lots of people buzzing. What does it mean for Higher Ed? I've got some thoughts (naturally!), and they are a bit further down.

Who ever heard of a carrot without a stick? Certainly not Visa, and the "stick" is in a third bulletin. This one describes a liability shift. Simply put, after October 2015 (note the different date) the rules for who is responsible for POS fraud shifts: "This policy assigns liability for counterfeit fraud to the party that has not [Visa's emphasis] made the investment in EMV chip cards (issuers) or terminals (merchants' acquirers)."

Many observers and blogs are missing this liability shift. Read it carefully. It looks to me like Visa wants everybody in the US to have a chip card by 2015.

Therefore, if a merchant and/or acquirer (or processor) doesn't buy POS terminals and upgrade their back office systems to process chip transactions, they eat any and all POS fraud.

The fourth bulletin is the acquirer/processor mandate, and it mainly contains technical details on Field 55 and other message elements.

What does this mean for Higher Ed? Should you go out and start pricing EMV chip-enabled POS terminals for everybody? Do you have to? How much will TIP save you if you qualify?

Good questions all. First some full disclosure: I am a QSA, so I might be biased in some of this; also I used to work for Visa, and those were some of the happiest years of my professional life, so again I might be biased. Given all that, here are some thoughts to get us started...

Kudos to Visa for showing leadership. The US is far behind the rest of the world in terms of card technology. As a cardholder I applaud what they are doing. Even if fewer companies need QSAs, I'm willing to start polishing my resume. Besides, nobody waived PCI compliance, just the formal re-validation (once you have validated). I hope I don't have to wait until 2015 to get my chip card.

Will the other brands follow suit? When will we see MasterCard's, Amex', or Discover's chip acceleration plan? If they don't, any benefit from TIP will be reduced to about zero since those brands will still require PCI compliance re-validation.

Speaking of a carrot...what carrot!?! I don't see how anyone but the biggest (Level 1 and some Level 2) merchants get any benefit from TIP. Smaller merchants don't hire QSAs to prepare a Report on Compliance (ROC), they hire QSAs as consultants. So not requiring one is no big deal. Also, in the past the card brands offered incentive (i.e., lower) interchange rates to offset the cost of merchant technology investment mandates. Here, there is no incentive. Think about it: the card brands introduce a "tax" on all merchants called PCI compliance; one brand then offers to waive the tax if you spend money on technology. To me, that's just giving you back your own money. TIP seems to cost Visa and its issuers not a penny.

Doesn't waiving PCI compliance re-validation hurt security? Visa said their objective was increasing security by encouraging chip technology. I think we have to wait and see if waiving formal compliance re-validation causes merchants to get lazy and backpedal on security.

What about MOTO and ecommerce? Good question. These announcements only dealt with POS transactions. As far as I can tell, chip cards won't help much when the card isn't present. Plus, remember the cards still have mag stripes.

What does this mean for Higher Ed? My guess is it means very little in terms of incentives. However it does mean that you need to have the "dual-interface EMV chip-enabled" POS devices at least by October 2015. It might be time to talk to your acquirer/processor and look at your technology budgets. Then again, if you don't have much POS fraud, maybe you can skate along for a while. I wouldn't advise it, but...

For a great post and discussion, surf over to Securosis and have a read.

No comments:

Post a Comment