Visa announced on February 9, 2011 that as of March 31, 2011, Visa will allow qualifying merchants outside the U.S. to discontinue their annual Payment Card Industry (PCI) On-Site Assessment. Visa introduces Technology Innovation Program (TIP), which essentially will apply to those merchants that meet the following requirements:
- The merchant must have validated compliance previously
- The merchant must confirm that sensitive authentication data is not stored
- At least 75% of the merchant’s transactions must originate from enabled chip-reading device (EMV)
- The merchant must not be involved in a breach of cardholder data
Visa goes on to state that although they will allow qualifying merchants to discontinue the annual On-Site Assessment, the merchant still must maintain PCI Data Security Standard (DSS) compliance.
This program is not currently available in the U.S. due to recent debit card regulations.
Although I am all for advancing technology which makes processes more secure, the notion that just because organizations are using more secure technology, they don’t need to be formally audited, seems to be a bit ridiculous. After all, even those merchants that are moving to an end-to-end encryption still must have a formal audit performed. Secondly, let’s assume for a second that the merchant processes 6,000,000 transactions per year. This new requirement still could leave over 1,000,000 credit card transactions unprotected. Obviously my point becomes clearer when we consider that many Level 1 merchants process way more than 6,000,000 transactions per year. Now some may argue that this is the reason why Visa still requires merchants to be PCI DSS compliant. However, who is performing the checks? I think it is probably safe to assume that if a company is not required to have an On-Site Assessment performed, there is a very good chance they will become complacent in keeping up with the evolving PCI DSS. This becomes even more complicated if the merchant doesn’t have a formal internal audit function. One final point: I could understand this concept more if EMV was a bulletproof technology. However, this is not the case. In fact, there have been some major vulnerabilities discovered for this technology. Professor Ross Anderson at Cambridge University states in the article:
One of the main problems with chip and pin technology and which has been highlighted by this research is that the banks are so sure the technology is secure they often refuse to refund any losses if purchases were made using the secret pin number as this is supposed to be known only to the card holder.
Look, I understand why Visa is doing this. Essentially, Visa is providing an incentive for those organizations that use more secure technology. More secure technology equals less annual cost of compliance. What is lost here is that typically more secure technology does reduce the annual cost of compliance already. For example, typically for those organizations that are using end-to-end encryption technology, do not have access to the encryption key, and are not storing any cardholder information, it would cost less to perform an On-Site Assessment because the PCI DSS requirements the merchant has to adhere to are significantly reduced. I sincerely hope other card brands don’t follow suit