Compliance with the Payment Card Industry Data Security Standard (PCI DSS) serves as the foundation of Visa Europe’s Account Information Security (AIS) programme, and is the basis for protecting sensitive cardholder and account data from compromise. Visa Europe’s AIS compliance programme has been instrumental in reducing the compromises of sensitive cardholder data by:
– addressing the removal of stored repositories of sensitive authentication data;
– increasing the level of security and protection afforded to cardholder and account data anywhere it is stored, processed and/or transmitted;
– providing guidance to market sectors that have embraced specific technologies such as data field encryption and tokenisation;
– providing guidance on how organisations can limit their exposure to common causes of account data compromise; and
– providing a balanced and pragmatic risk management based approach for European merchant security, as set out in Member Letter VE 27/09.
In addition to merchants implementing PCI DSS, Visa Europe recognises that many face-to-face merchants throughout Europe have invested significant time and financial resources in migrating to an EMV point-of-sale (POS) acceptance environment. To date, the PCI DSS has been an essential tool in improving the security and protection of cardholder data in general terms, and specifically, the residual exposure to EMV transactions prior to the iCVV mandate being fully effective.
Now that the iCVV issuing mandate has been in place for three years, there is compelling evidence to support the claim that iCVV-based EMV transactions reduce the value and attractiveness of cardholder data to criminals in the face-to-face POS environment.
Visa Europe has been instrumental in providing a balanced and pragmatic risk management approach for European merchants to achieve compliance against the Payment Card Industry Data Security Standard (PCI DSS).
About the Visa Technology Innovation Programme
The new Visa Europe Technology Innovation Programme is part of Visa Europe’s ongoing strategy to protect the payment system and advance security practices that will help secure cardholder data. This programme rewards investment in, and use of, EMV technology as it decreases the value of transaction data to criminals.
As a result, with effect from 30th April 2011, for merchants who meet the defined criteria for EMV maturity as outlined in this Member Letter, Visa Europe will:
• waive penalties for non-compliance or non-progression for acquirers whose merchants complete and maintain milestones 1-2 of the Payment Card Industry’s Prioritised Approach for PCI DSS; and
• grant ‘safe harbour’ from penalties and allocation of incremental counterfeit fraud losses in the event of a data compromise for acquirers whose merchants complete and maintain milestones 1-4 of the Payment Card Industry’s Prioritised Approach for PCI DSS*.
Minimum criteria to qualify for the Technology Innovation Programme
To secure these PCI DSS compliance benefits, a face-to-face merchant must meet all of the following criteria:
1. The merchant must have, at a minimum:
– previously satisfied PCI DSS compliance validation by completing milestones 1-4 of the Payment Card Industry’s Prioritised Approach for PCI DSS or
– previously completed milestone 1 of the Payment Card Industry’s Prioritised Approach for PCI DSS and conducted a PCI DSS gap analysis against milestones 2, 3 and 4. The merchant must have an agreed action plan in place with their acquirer to actively address all identified gaps within a specified time-frame.
2. Annually, at least 95% of the merchant’s total face-to-face POS transaction count must originate from chip-enabled devices**. To qualify, a chip-enabled device must:
a. be a Visa approved device;
b. have a valid and current EMV type approval;
c. have passed Visa’s Acquirer Device Validation Toolkit (ADVT) and, where contactless technology is used, VpTT testing requirements; and
d. have no reported and/or outstanding interoperability issues.
3. The merchant must not have been involved in an account data compromise within the last 12 months. This criterion may be waived at Visa Europe’s discretion if the merchant has subsequently validated PCI DSS compliance after the compromise event.
The merchant must establish, and annually test, an incident response plan, describing what to do in the event of a suspected account data compromise. This response plan must be consistent with the most up-to-date version of Visa Europe’s What to do if compromised guidance. This guide is available for download at: http://www.visaeurope.com/en/about_us/what_we_do/ payment_security.aspx
Note: Merchants that solely operate as e-commerce and/or Mail Order/Telephone Order (MOTO) do not qualify for this programme and must continue to annually validate their PCI DSS compliance in accordance with Visa Europe’s AIS compliance programme.
Merchants who operate both a qualifying face-to-face channel as well as one or more Card Not Present (CNP) acceptance channels (such as mail order, telephone order, e-commerce) and/or are connected to a franchise network and cannot demonstrate adequate segmentation (as defined in PCI DSS) between their face-to-face channels and their other acceptance channels/franchise networks do not qualify for the TIP programme. As such, they must continue to comply with all existing Visa Europe AIS programme requirements.
Visa Europe will work directly with acquirers to confirm eligible merchants and acquirers’ reporting responsibilities.
Merchants who do not qualify for the TIP programme may seek to limit the availability of all payment card data within their environment through other complementary technologies such as data field encryption and/or tokenisation***.
If you have any questions about how to enrol eligible merchants please contact firstname.lastname@example.org with the message subject as “Visa Europe TIP”.
* ‘Safe harbour’ could be invalidated in circumstances where sensitive authentication data was stored; non-compliant changes to an entity’s processing environment/polices after validation; and where significant areas of non-compliance can be established through a forensic investigation, including, but not limited to, insufficient sampling of systems at the time of the PCI DSS compliance assessment.
** For merchants that operate globally and/or are multi-acquired, Visa Europe will review a merchant’s eligibility on a case-by-case basis.
*** Best practice guidance on data field encryption and tokenisation can be downloaded from: http://www.visaeurope.com/en/
For more information please visit: www.visaeurope.com/ais