Visa U.S.A. adds financial incentives, fines to PCI program

New carrot-and-stick approach aims for better compliance

Visa U.S.A. Inc. is adopting a carrot-and-stick approach to help drive merchant compliance with the Payment Card Industry (PCI) data security standard that it -- along with other credit card companies such as MasterCard International Inc. and American Express Co. -- is pushing.

Earlier this week, the company announced that it has created a new $20 million incentive program under which it will monetarily reward "acquiring" financial institutions if their members are fully compliant with PCI requirements by Aug. 31, 2007. At the same time, acquiring banks that fail to ensure compliance by Sept. 30, 2007, will be assessed fines starting at $5,000 a month for each noncompliant merchant. The fines increase to $25,000 per month for each noncompliant merchant after Dec. 31, 2007.

Until now, fines have been assessed only in cases where actual data breaches occurred.

Acquiring banks are those financial institutions that grant retailers and other entities the approval they need to accept credit cards. Under PCI, these banks are contractually responsible for ensuring that merchant members meet PCI requirements.

Visa's new Visa PCI Compliance Acceleration Program is designed to spur entities that are covered by PCI rules to comply in a speedy fashion, said Jennifer Fischer, a director at Visa U.S.A. "This program is part of our larger strategy for protecting cardholder data and to ensure that we are doing everything we can to protect it from compromise," she said.

It targets the financial institutions responsible for the largest 1,200 merchants -- known in PCI-speak as Level 1 and Level 2 merchants -- which together account for about two-thirds of Visa's total transaction volumes, she said. Though nearly 18 months have passed since PCI rules went into full effect, only 36% of Tier 1 merchants and 15% of Tier 2 merchants are currently compliant with the requirements, according to Visa. The goal is to get all of these merchants fully compliant by the end of August 2007.

As part of the compliance validation process, merchants will need to show that they have purged all magnetic stripe data, Card Verification Value data and PIN data from their point-of-sale (POS) and other systems, Fischer said. The storage of such data is considered extremely risky and is a major violation of PCI rules. Even so, a large number of merchants continue to do so, often because their POS system software stores it by default.

"One of our key messages is you don't need that data," Fischer said. "We expect merchants to work with their software vendors to update the software or patch it or do something to make sure their systems are purged" of the data, she said.

The new Visa program is a step in the right direction, said Avivah Litan, an analyst at Gartner Inc. in Stamford, Conn. But to really push PCI compliance, similar actions need to be taken by MasterCard and American Express, she said.

Visa's decision to link its so-called tiered interchange rates to PCI compliance, though, is perhaps far more significant for larger merchants than any one-time monetary reward, Litan said. Interchange rates are the commissions that merchants pay for each credit card transaction. Merchants in different tiers have different rates, with the largest ones paying less than their smaller counterparts.

The prospect of losing this benefit for failing to comply with PCI could be the biggest driver of all, Litan said.

Copyright © 2006 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon