Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Visa Eases PCI Compliance Penalties

Deadlines extended, some fines may be reimbursed if merchants act quickly

Visa is easing its penalties on retailers that don't meet its credit card data security standards before the deadline, according to partners and observers.

The credit card company, which is anxious to improve merchants' security practices following the infamous breach at TJX Companies earlier this year, had previously stepped up its efforts to ensure compliance with the Payment Card Industry Data Security Standard (PCI DSS), a detailed set of specifications that define requirements for protecting credit card data. (See Retailers Still Lag in PCI Compliance and Two Plead Guilty to Selling $6M of Counterfeit Software on eBay .)

But according to a memo issued by Visa partner Fifth Third Processing Solutions earlier this month, the stiff penalties that were previously announced are being softened.

For example, Visa's original guidelines stated that merchants that did not comply with PCI by Oct. 1, 2007, would no longer be eligible for Visa and Interlink tiered interchange programs. The new guidelines now say that non-compliant merchants will simply be downgraded by one tier, according to the memo.

In addition, merchants that achieve PCI compliance by September 30, 2008, may now qualify for repayment of the lost interchange discounts, as well as up to three months of fines they may have paid for non-compliance during 2007, according to the document.

But Visa officials said the guidelines outlined in the memo from Fifth Third are merely a "clarification" of the existing program, not a softening of the company's stance on PCI.

"Based on questions from stakeholders, Visa recently clarified the program’s implementation," said Rosetta Jones, vice president of Visa USA, in a written statement that was issued after the initial publication of this story.

"Effective October 1, 2007, acquirers whose Level 1 or 2 merchant are not compliant with PCI Data Security Standard (DSS) compliant will no longer receive the best available interchange rate, being downgraded one tier." Jones said. "Additionally, acquirers of non-compliant Level 1 merchants will be fined monthly starting in October, and Level 2 merchants in January 2008.

"Visa considers merchants that do not make these deadlines to be delinquent in meeting their obligations to properly secure cardholder data," the statement conludes. "Visa remains committed to addressing payment card fraud by enforcing compliance with the PCI DSS among all stakeholders."

David Taylor, president and CEO of the PCI Security Vendor Alliance (PCI SVA) and vice president of data security strategies at Protegrity, says the credit card company is simply dealing with practical realities by making its deadlines and requirements more flexible.

"There are still a lot of merchants that aren't PCI-compliant, and they aren't going to make the deadline," Taylor says. "In the past, when guidelines have been eased, it's been because they've had a lot of merchants expressing concern that they weren't going to make it."

Despite the pressures for better credit card security following the TJX breach, many merchants still find it difficult to meet PCI's rigorous requirements, which mandate that merchants meet more than 140 specific guidelines. Recent estimates suggest that more than half of Visa's top-level merchants still haven't achieved full compliance.

Recognizing this painful reality, Visa has little choice but to dial back the imposition of fines and penalties, Taylor says. "Visa doesn't want banks and merchants to hear that the PCI program is flexible, because they're afraid that merchants will not take it as seriously, or move as quickly," he says. "But my sense is that there's a lot more flexibility in the program than most people know."

Still, banks and merchants shouldn't look at the softer penalties as a license to blow off their PCI efforts, Taylor says. "Visa is very serious about this," he says. "They just recognize that they have to give merchants more time."

Have a comment on this story? Please click "Discuss" at the top of this page. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Protegrity Corp.
  • Visa USA Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Ransomware Is Not the Problem
    Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
    How Can I Test the Security of My Home-Office Employees' Routers?
    John Bock, Senior Research Scientist,  6/7/2021
    New Ransomware Group Claiming Connection to REvil Gang Surfaces
    Jai Vijayan, Contributing Writer,  6/10/2021
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: Zero Trust doesn't have to break your budget!
    Current Issue
    The State of Cybersecurity Incident Response
    In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-06-16
    SQL Injection vulnerability in phpCMS 2007 SP6 build 0805 via the digg_mod parameter to digg_add.php.
    PUBLISHED: 2021-06-16
    Directory Traversal vulnerability in phpCMS 9.1.13 via the q parameter to public_get_suggest_keyword.
    PUBLISHED: 2021-06-16
    phpCMS 2008 sp4 allowas remote malicious users to execute arbitrary php commands via the pagesize parameter to yp/product.php.
    PUBLISHED: 2021-06-16
    IBM Security Identity Manager 6.0.2 is vulnerable to server-side request forgery (SSRF). By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to obtain sensitive data. IBM X-Force ID: 197591.
    PUBLISHED: 2021-06-16
    IBM Security Identity Manager 6.0.2 could allow an authenticated malicious user to change the passowrds of other users in the Windows AD enviornemnt when IBM Security Identity Manager Windows Password Synch Plug-in is deployed and configured. IBM X-Force ID: 197789.