An industry first, Visa’s Technology Innovation Program (TIP), will eliminate the requirement that eligible merchants annually validate their compliance with the PCI DSS for any year in which at least 75 percent of the merchant’s Visa transactions originate from chip-enabled terminals. To qualify, terminals must be enabled for contact or dual contact and contactless interface chip acceptance. All merchants outside of the United States are eligible and may begin qualifying for the new program from March 31, 2011. Visa Europe has announced a similar program.
“Visa has repeatedly underscored the need for authentication solutions to move to dynamic data technologies such as EMV chip,” said Ellen Richey, Chief Enterprise Risk Officer, Visa Inc. “Although Visa’s global fraud rate remains at an all-time low of less than 6 pennies out of every $100 transacted, we believe the future of security lies in dynamic data. Our experience suggests that as markets move to chip they become less vulnerable to counterfeit fraud and, ultimately, to mass data compromise attacks."
Despite industry interest in chip and dynamic data authentication, the program is not currently available in the United States because recent debit card regulation has cast uncertainty in the marketplace.
“With the United States facing government price controls on debit and restrictive routing and exclusivity rules, it is not feasible or appropriate to drive the market toward major infrastructure investments, especially in an environment where financial institutions could lose billions in revenue as a result of the regulation,” said Bill Sheedy, Group Executive for the Americas, Visa Inc.1 “With such a dramatic potential for revenue loss, financial institutions will likely curtail investments in future innovations.”
International merchants may qualify for the program if they have either previously validated PCI DSS compliance, or provided a plan to come into compliance, and if they have not been involved in a recent material breach of cardholder data. Merchants involved in a compromise will be eligible for participation subject to subsequent PCI DSS compliance validation. Merchants that do not meet the program’s EMV terminalization requirements, including merchants whose transaction volume is primarily from eCommerce and MO/TO acceptance channels, are still required to validate their PCI DSS compliance annually in accordance with Visa compliance programs. Qualifying merchants must continue to protect any sensitive data that remains in their care by ensuring their systems do not store track data, security codes or Personal Identification Numbers (PINs), and that they continue to adhere to the PCI DSS standards as applicable. More details about the program, including a full list of eligibility requirements, are available at Visa.com/CISP.
“EMV chip is a proven technology platform that can offer the industry the ability to facilitate dynamic data as well as enable payment innovations,” said Jim McCarthy, global head of product, Visa Inc. “In addition, merchant adoption of dual interface contact/contactless terminals will support the emergence of near field communication (NFC) payment form factors, including mobile devices.”
As a result of increased focus on data security, the commercialization of new security technologies such as encryption and tokenization, and growing global EMV chip adoption, many merchants are seeking guidance to ensure they are investing for the future when they upgrade their acceptance environments. Because Visa recognizes the security benefits of dynamic authentication, enabled by chip, it is offering tangible benefits to merchants who shift or expand their POS infrastructure to become chip enabled. As part of the terminal refresh cycle or when incorporating new security technology like encryption or tokenization, Visa encourages all merchants to move toward dynamic data through the adoption of dual contact/contactless terminals.
Globally, Visa continues to support a range of cardholder verification methods (CVMs) including signature, PIN and no-signature for low-value, low-risk transactions, maintaining interoperability across those methods with technical standards, business rules and compliance programs. PIN usage will continue to depend on merchant terminal adoption, issuer activation and cardholder choice at the point of sale.
* Data Protection o Drive global PCI DSS compliance. More than 76 percent of the world’s largest retailers have validated compliance with the security standard. o Execute an effort to ensure that merchants do not store prohibited data elements, including card security codes and PIN data. Today, almost all Level 1 and 2 merchants globally have conformed to this practice. o Support the adoption of contact EMV chip to introduce dynamic data used for authentication, thereby reducing data available for fraudulent use. o Publish best practices on PAN elimination/truncation, tokenization and encryption, which are available at Visa.com/CISP.
* Technology Investments o Develop the 3D-Secure payment infrastructure that is the backbone of Verified by Visa and is now used by American Express, JCB and MasterCard to facilitate dynamic authentication. o Innovate network technology such as Visa Advanced Authorization, which uses transactional data to provide an instant risk-score to card issuers – right in the authorization message. o Invest in CyberSource to deliver best-in-class fraud management services globally. CyberSource's suite of products provides online retailers with tools to better manage and stop fraud before it happens.
Visa will provide technical guidance over the coming months to further support merchants, acquirers, processors and issuers as they consider adopting EMV chip technology.