Visa moves to reduce PCI DSS burden send out mixed signals

There has been a mixed response to the moves made by Visa to reduce the burden faced by retailers having to become PCI DSS compliant.

There has been a mixed response to the moves made by Visa to reduce the burden faced by retailers having to become PCI DSS compliant.

The burden on large retailers needing to prove that they are compliant with the list of PCI measures set out by Visa could be reduced if they put 75% of their transactions through EMV chip-enabled terminals.

Those that are able to put three quarters of their transactions through the latest terminal technology will not have to prove to Visa on an annual basis that they are compliant with the PCI requirements.

Visa is introducing the latest twist to PCI across Europe from 31 March trying to encourage more retailers to use point of sale (POS) that accept dual contact and contactless chips to pave the way for more secure and innovative payment systems.

"EMV chip is a proven technology platform that can offer the industry the ability to facilitate dynamic data as well as enable payment innovations," said Jim McCarthy, global head of product at Visa, making reference to mobile device payments.

But the move by Visa could send out mixed signals to retailers argued Ross brewer, president and managing director of EMEA at LogRhythm.

"Visa should of course be applauded for trying to reduce the compliance burden for merchants that are using the latest secure technologies...however, this by no means spells the end of compliance - other card firms, including MasterCard, will still require annual validation that regulations are being met - so appropriate compliance procedures still need to be in place," he said.

"Visa's initiative also only impacts a relatively small proportion of merchants.  For example, online retailers - for which chip and pin is not always a viable option - will see no change in their requirements," he added.

But what really worried Brewer was the message it sent out to retailers about the need to protect data throughout its collection and storage lifecycle.

"Perhaps the most interesting thing about Visa's new initiative is the mixed message it sends out about the need to comply with industry best practices.  After all, even if POS security is completely watertight, who's to say that the credit card details stored elsewhere in the merchant's IT infrastructure are just as safe?" he asked.

Read more on Data Protection Services

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.