Computerworld - Visa has excluded U.S. businesses from a worldwide program that encourages merchants to deploy more secure payment terminals, because of what it claims is the uncertainty surrounding new debit card rules.
On Wednesday, Visa announced that it will soon stop requiring merchants outside the U.S. to validate their compliance with the Payment Card Industry Data Security Standard (PCI DSS) if at least 75% of the merchant's annual Visa card transactions originate on smartcard-enabled terminals.
To qualify for the program, merchants need to have payment terminals that are compliant with the Europay, MasterCard and Visa (EMV) smartcard standard and are also equipped to accept both contact-based and contactless transactions. However, U.S merchants that meet these requirements will still have to validate PCI compliance.
Payment cards based on the EMV standard use an embedded microprocessor instead of a magnetic stripe to store cardholder data and all of the other information needed to use a card for a transaction.
Each time an EMV-compliant card is swiped at a compliant payment terminal, a unique one-time number that validates the authenticity of the card is created and sent to the card issuer along with the transaction request.
This kind of a dynamic data-authentication technology is designed to protect against fraud resulting from the use of cloned cards. It is aimed at making it pointless for credit card thieves to steal card data and make counterfeit cards with it, because the cards wouldn't work without authentication.
The technology is widely used around the world and has proved to be effective in reducing some kinds of credit card fraud. However, use of the technology in the U.S. lags far behind.
Visa's new program is both a recognition of the effectiveness of the technology and an incentive to spur faster adoption of it, said Eduardo Perez, head of global payment system security at Visa. "We believe this program acknowledges and incents adoption of chip-enabled terminals by merchants," Perez said.
Under the program, merchants still will be required to be compliant with PCI requirement but will no longer have to prove that they are compliant. PCI compliance assessments and audits have been a big drain on IT time and resources for the past several years, so any step that eliminates the need for them to prove compliance is likely to be welcomed by merchants.
"Visa's program makes eminent sense for merchants," said Avivah Litan, an analyst at Gartner. Merchants in some regions of the world have made considerable investments, or are making them right now, to upgrade their payments systems to EMV technologies, Litan said.
"If the cards are secure and the data cannot be used even if stolen, and there is no need to worry about data at rest or auditing data at rest, then there is no need for PCI," she said.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
