-
Visa has introduced a series of incentives to spur the U.S. to adopt chip cards – a change once considered as likely as the country switching to the metric system.
August 9
Many merchants may still validate their compliance against the Payment Card Industry data security standard even though Visa Inc. has promised to waive that requirement for merchants that accept chip cards.
The EMV Integrated Circuit Card Specifications have been used with cards in Europe since 2004, and as of March 31 this year, Visa merchants outside the U.S. have not had to validate their compliance if they handle enough transactions through chip-accepting terminals.
The PCI Security Standards Council has not seen a major drop in merchant validations in other countries.
"The majority … are doing it because the [standard] is a very good security system," says Bob Russo, general manager of the PCI security standards council. "Some were asking if [chip-card acceptance] was going to be the end of PCI, but it certainly has not been our experience,"
As of October 2012, Visa says merchants will not have to validate their compliance with the PCI standard each year if they accept 75% of their annual Visa transactions through terminals that accept EMV cards.
Visa arrived at the 75% figure because it shows a level of commitment on the merchant's part to use EMV terminals for contact or contactless transactions, says Sandra Chu, a Visa spokeswoman. It also provides flexibility for merchant to convert to full chip acceptance by first focusing on high-volume locations, she says.
But Russo cautions that EMV cannot be considered a substitute for PCI compliance.
"It's a wonderful fraud tool in a face-to-face environment," Russo says of the EMV card. "But it's not a security tool because the [card] information is still there, regardless of mag-stripe or chip, and that data has to be stored and cleared somewhere else."
Russo says he understands why there would be some interest in saving the money by having the option not to validate each year. Visa's incentive regarding validation refers to "re-validating every year," not the ability to totally forgo validation, he says.
"The merchant still has to validate compliance, they just wouldn't have to do it every year, which allows them to spend their money somewhere else related to security," Russo says.
