Visa excludes U.S. merchants to spur secure card adoption

Proposed debit card regulations have created too much uncertainty, Visa says

Visa has excluded U.S. businesses from a worldwide program that encourages merchants to deploy more secure payment terminals, because of what it claims is the uncertainty surrounding new debit card rules.

On Wednesday, Visa announced that it will soon stop requiring merchants outside the U.S. to validate their compliance with the Payment Card Industry Data Security Standard (PCI DSS) if at least 75% of the merchant's annual Visa card transactions originate on smartcard-enabled terminals.

To qualify for the program, merchants need to have payment terminals that are compliant with the Europay, MasterCard and Visa (EMV) smartcard standard and are also equipped to accept both contact-based and contactless transactions. However, U.S merchants that meet these requirements will still have to validate PCI compliance.

Payment cards based on the EMV standard use an embedded microprocessor instead of a magnetic stripe to store cardholder data and all of the other information needed to use a card for a transaction.

Each time an EMV-compliant card is swiped at a compliant payment terminal, a unique one-time number that validates the authenticity of the card is created and sent to the card issuer along with the transaction request.

This kind of a dynamic data-authentication technology is designed to protect against fraud resulting from the use of cloned cards. It is aimed at making it pointless for credit card thieves to steal card data and make counterfeit cards with it, because the cards wouldn't work without authentication.

The technology is widely used around the world and has proved to be effective in reducing some kinds of credit card fraud. However, use of the technology in the U.S. lags far behind.

Visa's new program is both a recognition of the effectiveness of the technology and an incentive to spur faster adoption of it, said Eduardo Perez, head of global payment system security at Visa. "We believe this program acknowledges and incents adoption of chip-enabled terminals by merchants," Perez said.

Under the program, merchants still will be required to be compliant with PCI requirement but will no longer have to prove that they are compliant. PCI compliance assessments and audits have been a big drain on IT time and resources for the past several years, so any step that eliminates the need for them to prove compliance is likely to be welcomed by merchants.

"Visa's program makes eminent sense for merchants," said Avivah Litan, an analyst at Gartner. Merchants in some regions of the world have made considerable investments, or are making them right now, to upgrade their payments systems to EMV technologies, Litan said.

"If the cards are secure and the data cannot be used even if stolen, and there is no need to worry about data at rest or auditing data at rest, then there is no need for PCI," she said.

Litan said that Visa's program is a good incentive for countries that are in the midst of upgrading their payment systems. But for it to be really meaningful, others card issuers such as MasterCard, American Express and Discover will also need to waive the need for PCI compliance validation for such merchants, she added.

Perez said Visa is unable to extend the program to the U.S. because of the uncertainties created by proposed debit-card restrictions by government.

The new rules, which are scheduled to be finalized in April, will, among other things, cap the fees that debit card issuers can charge merchants for card transactions.

The rules as proposed are expected to substantially cut into the profits being made on card transactions by banks and credit card companies.

Perez did not explain why that fact would have any direct bearing on Visa's decision not to extend its new incentive program to U.S. merchants. However, a statement released by Visa announcing the program suggests that the decision may be tied to concerns that financial institutions will be unwilling to make EMV technology investments at a time when they are likely to lose billions in revenue.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at  @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is

Copyright © 2011 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon