If data-security standards compliance in the United States mirrors what has occurred in Europe, the onset of EMV chip-and-PIN technology in the U.S. will not mean major retailers will skip validating their compliance with the Payment Card Industry Data Security Standard each year, the head of the PCI Security Standards Council contends.
“We thought the emergence of chip-and-PIN would cause a lot of problems (in merchants feeling PCI standards were not necessary), and some were asking if it was going to be the end of PCI. But it certainly has not been our experience,” Bob Russo, council general manager, tells ISO&Agent Weekly.
The emergence of EMV chip-and-PIN card use in the United States came to light this week when Visa Inc. announced incentives and deadlines for U.S. issuers and merchants to embrace the technology.
As of October 2012, Visa says merchants will not have to validate their compliance with the PCI standard each year if they accept 75% of their annual Visa transactions through terminals that accept EMV cards.
Visa arrived at the 75% figure because it shows a level of commitment on the merchant’s part to using EMV terminals for contact or contactless transactions. It also provides flexibility for merchant to convert to full chip acceptance by first focusing on high-volume locations in the U.S. or internationally, Sandra Chu, a Visa spokesperson, tells ISO&Agent Weekly.
But Russo cautions that chip-and-PIN does not serve the same purpose as payment card data-security standards.
“It’s a wonderful fraud tool in a face-to-face environment,” Russo says of the EMV card. “But it’s not a security tool because the (card) information is still there regardless of mag-stripe or chip, and that data has to be stored and cleared somewhere else.”
Still, Russo also understands why merchants would want to save money by having the option not to validate each year. Visa’s incentive regarding validation refers to “re-validating every year,” not the ability to totally forego validation, he says.
“The merchant still has to validate compliance. They just wouldn’t have to do it every year, which allows them to spend their money somewhere else related to security,” Russo says.
