Visa Inc. said it is planning to help merchants that fail to meet two July 1 payment security deadlines.
Acquirers are expected to ensure that their merchant clients use point of sale software that meets the Payment Application Data Security Standard, and that any PIN pads connected to Visa's network use triple data encryption standard technology, also known as triple DES.
The so-called PA-DSS measure is the last of a five-stage compliance effort that Visa began in 2007, according to Jennifer Fischer, a senior business leader at the company.
"This is the final phase of the program for the United States," Fischer said. "Now it's a matter of making sure merchants continue to use compliant programs."
MasterCard Inc. has set a July 1, 2012, global deadline for PA-DSS compliance for its merchants.
Visa plans to assist merchants that are not using software compliant with PA-DSS after the deadline, Fischer said.
"We will work with their acquirers or merchant banks, or in some cases their processors, to identify a road map for them to use a compliant application," she said. "We don't intend to take a punitive approach to the deadline."
Merchants that are purposely flouting the requirement, however, could face penalties.
Visa merchants outside of the United States have until July 1, 2012, to adopt PA-DSS-compliant software.
The use of point of sale payment software elsewhere is not as widespread as it is in the U.S., Fischer said.
Visa's approach for merchants not using triple DES-equipped PIN pads after July 1 is similar to its approach for merchants not using PA-DSS-compliant software, Fischer said.
"If there are instances of merchants not using triple DES, we want to work with the merchants and their acquirers," she said.
Acquirers could face unspecified penalties if their merchant clients continue to use noncompliant devices.
Unattended PIN pads have specific issues, and Visa gave them another two years, until 2012, before it will determine when to set an enforcement deadline, Fischer said.
The technology for triple DES in the unattended environment, such as self-service fuel pumps, had not advanced as far as for PIN pads that rest on a countertop inside a store, she said.
Given the long lead times for these deadlines — Visa announced its PIN-encryption plans in 2005 — point of sale terminal makers and software developers should not expect a rush of orders, said Gil Luria, vice president of equity research at Wedbush Securities Inc., a Los Angeles equity research firm.
Sales probably will have a bit of a lift, he said.
The deadlines, and the potential for penalties for noncompliance, likely will increase merchant awareness of the security mandates, Luria said.
"All of these things would encourage laggards to upgrade," he said. "Some won't do it, and they'll drag it out and suffer the consequences."
