Card network Visa Inc. plans to eke out even better merchant compliance with the Payment Card Industry Data Security Standard with a new enforcement plan targeting the largest merchants. The program is scheduled for a Jan. 1 start. That’s according to a copy of an Oct. 21 Visa Bulletin obtained by Digital Transactions News. Visa did not respond to an inquiry about the bulletin.
The document outlines a detailed plan to begin noncompliance assessments of Level 1 and Level 2 merchants and of service providers without remediation plans. Level 1 merchants process more than 6 million annual Visa transactions. Level 2 merchants process from 1 million to 6 million annual Visa transactions.
Jan. 1 also is the inception date for compliance with version 3.0 of the PCI DSS, says Greg Rosenberg, security engineer at Chicago-based Trustwave. The bulletin signals there will be more enforcement of existing rules, he says.
The program applies to “VisaNet processors and third party agents that store, process or transmit cardholder data...,” the bulletin notes. Merchants not qualifying for Visa’s Technology Innovation Program, which eliminates the annual requirement for eligible merchants to validate their compliance with the PCI DSS for any year in which at least 75% of the merchant’s Visa transactions originate from EMV chip-enabled terminals, also fall under the program’s focus.
For those organizations between one and 60 days overdue, Visa will mark in yellow the organization’s listing in the Visa Global Registry of Service Providers. The entities also must notify their merchants and agents of the overdue status. After 61 days, the entry is marked in red. Organizations prefer their entries have no color background at all. As the number of overdue days increases, Visa takes other action, including removal from the registry of service providers, and may assess monthly penalties after 91 days. The Visa bulletin did not disclose the penalty amounts, but Visa's Core Rules document says penalties for a first violation of noncompliance in Visa's Cardholder Information Security Program could be as much as $50,000, and as much as $200,000 three or more violations.
Visa is less patient with organizations that have never shown evidence of PCI compliance, requiring them to notify their merchants and agents immediately of that fact. Penalties under this program can begin as soon as 31 days have passed.
Visa wants merchants and payment services companies to validate their PCI compliance by providing the name of the qualified security assessor performing the validation inquiry and the planned date of validation.
That’s a critical element, Rosenberg says. “In many situations the card brands have no direct connection with service providers, like Web hosting companies or payment gateways,” Rosenberg says. The only way Visa or another card brand will learn about them is if the merchant flags the provider in their self-assessment filings, he says. “They’re trying to close the loop more directly.”
Whether its service providers or merchants, PCI compliance should be viewed as a baseline for securing payment data, Rosenberg says. He advocates a risk-based approach, one that entails an examination of any data that a criminal might seek, such as email addresses, birth dates and family information. “PCI doesn’t apply to these other pieces of data,” Rosenberg says. “Merchants still hold a lot of liability when it comes to this information.”
It’s no surprise to David Leppek, president of Trx Services LLC, an Omaha, Neb.-based merchant-services provider, that larger merchants have difficulty achieving PCI compliance.
Larger merchants are challenged because they often have disparate technology systems to manage, he says. Smaller merchants often use off-the-shelf services where the vendor handles PCI compliance, Leppek says.
“Plenty of large merchants have taken PCI compliance seriously,” Leppek tells Digital Transactions News. But Visa’s efforts to gain greater compliance are necessary, he says.
Some very large merchants have an “arrogance” about themselves, he says. They may think because they built the system they know what it can and can’t do. Secondly, it can be difficult for a chief executive of a large company to put a value on PCI compliance, Leppek says. It can be hard to justify the expense of compliance for something classified as a non-functional business requirement, he adds.
As for service providers not in compliance, any background color other than white in the Visa Global Registry of Service Providers can be detrimental, Leppek says. “I would expect to see everybody I deal with in white,” Leppek says. A yellow or red background raises too many questions, he says.