Visa is easing its penalties on retailers that don't meet its credit card data security standards before the deadline, according to partners and observers.
The credit card company, which is anxious to improve merchants' security practices following the infamous breach at TJX Companies earlier this year, had previously stepped up its efforts to ensure compliance with the Payment Card Industry Data Security Standard (PCI DSS), a detailed set of specifications that define requirements for protecting credit card data. (See Retailers Still Lag in PCI Compliance and Two Plead Guilty to Selling $6M of Counterfeit Software on eBay .)
But according to a memo issued by Visa partner Fifth Third Processing Solutions earlier this month, the stiff penalties that were previously announced are being softened.
For example, Visa's original guidelines stated that merchants that did not comply with PCI by Oct. 1, 2007, would no longer be eligible for Visa and Interlink tiered interchange programs. The new guidelines now say that non-compliant merchants will simply be downgraded by one tier, according to the memo.
In addition, merchants that achieve PCI compliance by September 30, 2008, may now qualify for repayment of the lost interchange discounts, as well as up to three months of fines they may have paid for non-compliance during 2007, according to the document.
But Visa officials said the guidelines outlined in the memo from Fifth Third are merely a "clarification" of the existing program, not a softening of the company's stance on PCI.
"Based on questions from stakeholders, Visa recently clarified the programs implementation," said Rosetta Jones, vice president of Visa USA, in a written statement that was issued after the initial publication of this story.
"Effective October 1, 2007, acquirers whose Level 1 or 2 merchant are not compliant with PCI Data Security Standard (DSS) compliant will no longer receive the best available interchange rate, being downgraded one tier." Jones said. "Additionally, acquirers of non-compliant Level 1 merchants will be fined monthly starting in October, and Level 2 merchants in January 2008.
"Visa considers merchants that do not make these deadlines to be delinquent in meeting their obligations to properly secure cardholder data," the statement conludes. "Visa remains committed to addressing payment card fraud by enforcing compliance with the PCI DSS among all stakeholders."
David Taylor, president and CEO of the PCI Security Vendor Alliance (PCI SVA) and vice president of data security strategies at Protegrity, says the credit card company is simply dealing with practical realities by making its deadlines and requirements more flexible.
"There are still a lot of merchants that aren't PCI-compliant, and they aren't going to make the deadline," Taylor says. "In the past, when guidelines have been eased, it's been because they've had a lot of merchants expressing concern that they weren't going to make it."
Despite the pressures for better credit card security following the TJX breach, many merchants still find it difficult to meet PCI's rigorous requirements, which mandate that merchants meet more than 140 specific guidelines. Recent estimates suggest that more than half of Visa's top-level merchants still haven't achieved full compliance.
Recognizing this painful reality, Visa has little choice but to dial back the imposition of fines and penalties, Taylor says. "Visa doesn't want banks and merchants to hear that the PCI program is flexible, because they're afraid that merchants will not take it as seriously, or move as quickly," he says. "But my sense is that there's a lot more flexibility in the program than most people know."
Still, banks and merchants shouldn't look at the softer penalties as a license to blow off their PCI efforts, Taylor says. "Visa is very serious about this," he says. "They just recognize that they have to give merchants more time."
Have a comment on this story? Please click "Discuss" at the top of this page. If you'd like to contact Dark Reading's editors directly, send us a message.