Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Visa Eases PCI Compliance Penalties

Deadlines extended, some fines may be reimbursed if merchants act quickly

Visa is easing its penalties on retailers that don't meet its credit card data security standards before the deadline, according to partners and observers.

The credit card company, which is anxious to improve merchants' security practices following the infamous breach at TJX Companies earlier this year, had previously stepped up its efforts to ensure compliance with the Payment Card Industry Data Security Standard (PCI DSS), a detailed set of specifications that define requirements for protecting credit card data. (See Retailers Still Lag in PCI Compliance and Two Plead Guilty to Selling $6M of Counterfeit Software on eBay .)

But according to a memo issued by Visa partner Fifth Third Processing Solutions earlier this month, the stiff penalties that were previously announced are being softened.

For example, Visa's original guidelines stated that merchants that did not comply with PCI by Oct. 1, 2007, would no longer be eligible for Visa and Interlink tiered interchange programs. The new guidelines now say that non-compliant merchants will simply be downgraded by one tier, according to the memo.

In addition, merchants that achieve PCI compliance by September 30, 2008, may now qualify for repayment of the lost interchange discounts, as well as up to three months of fines they may have paid for non-compliance during 2007, according to the document.

But Visa officials said the guidelines outlined in the memo from Fifth Third are merely a "clarification" of the existing program, not a softening of the company's stance on PCI.

"Based on questions from stakeholders, Visa recently clarified the program’s implementation," said Rosetta Jones, vice president of Visa USA, in a written statement that was issued after the initial publication of this story.

"Effective October 1, 2007, acquirers whose Level 1 or 2 merchant are not compliant with PCI Data Security Standard (DSS) compliant will no longer receive the best available interchange rate, being downgraded one tier." Jones said. "Additionally, acquirers of non-compliant Level 1 merchants will be fined monthly starting in October, and Level 2 merchants in January 2008.

"Visa considers merchants that do not make these deadlines to be delinquent in meeting their obligations to properly secure cardholder data," the statement conludes. "Visa remains committed to addressing payment card fraud by enforcing compliance with the PCI DSS among all stakeholders."

David Taylor, president and CEO of the PCI Security Vendor Alliance (PCI SVA) and vice president of data security strategies at Protegrity, says the credit card company is simply dealing with practical realities by making its deadlines and requirements more flexible.

"There are still a lot of merchants that aren't PCI-compliant, and they aren't going to make the deadline," Taylor says. "In the past, when guidelines have been eased, it's been because they've had a lot of merchants expressing concern that they weren't going to make it."

Despite the pressures for better credit card security following the TJX breach, many merchants still find it difficult to meet PCI's rigorous requirements, which mandate that merchants meet more than 140 specific guidelines. Recent estimates suggest that more than half of Visa's top-level merchants still haven't achieved full compliance.

Recognizing this painful reality, Visa has little choice but to dial back the imposition of fines and penalties, Taylor says. "Visa doesn't want banks and merchants to hear that the PCI program is flexible, because they're afraid that merchants will not take it as seriously, or move as quickly," he says. "But my sense is that there's a lot more flexibility in the program than most people know."

Still, banks and merchants shouldn't look at the softer penalties as a license to blow off their PCI efforts, Taylor says. "Visa is very serious about this," he says. "They just recognize that they have to give merchants more time."

Have a comment on this story? Please click "Discuss" at the top of this page. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Protegrity Corp.
  • Visa USA Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    7 Old IT Things Every New InfoSec Pro Should Know
    Joan Goodchild, Staff Editor,  4/20/2021
    Cloud-Native Businesses Struggle With Security
    Robert Lemos, Contributing Writer,  5/6/2021
    Defending Against Web Scraping Attacks
    Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-05-13
    An improper access control vulnerability has been reported to affect earlier versions of Music Station. If exploited, this vulnerability allows attackers to compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. This ...
    PUBLISHED: 2021-05-13
    A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remover versions prior to This issue does not affect: QNAP...
    PUBLISHED: 2021-05-13
    An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3...
    PUBLISHED: 2021-05-13
    An Authentication Bypass vulnerability in the SAML Authentication component of BlackBerry Workspaces Server (deployed with Appliance-X) version(s) 10.1, 9.1 and earlier could allow an attacker to potentially gain access to the application in the context of the targeted user’s acco...
    PUBLISHED: 2021-05-12
    Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.