SAN FRANCISCO Feb. 9, 2011
the United States March 31, 2011 Europe
Ellen Richey $100
the United States
International merchants may qualify for the program if they have either previously validated PCI DSS compliance, or provided a plan to come into compliance, and if they have not been involved in a recent material breach of cardholder data. Merchants involved in a compromise will be eligible for participation subject to subsequent PCI DSS compliance validation. Merchants that do not meet the program’s EMV terminalization requirements, including merchants whose transaction volume is primarily from eCommerce and MO/TO acceptance channels, are still required to validate their PCI DSS compliance annually in accordance with Visa compliance programs. Qualifying merchants must continue to protect any sensitive data that remains in their care by ensuring their systems do not store track data, security codes or Personal Identification Numbers (PINs), and that they continue to adhere to the PCI DSS standards as applicable. More details about the program, including a full list of eligibility requirements, are available at Visa.com/CISP.
As a result of increased focus on data security, the commercialization of new security technologies such as encryption and tokenization, and growing global EMV chip adoption, many merchants are seeking guidance to ensure they are investing for the future when they upgrade their acceptance environments. Because Visa recognizes the security benefits of dynamic authentication, enabled by chip, it is offering tangible benefits to merchants who shift or expand their POS infrastructure to become chip enabled. As part of the terminal refresh cycle or when incorporating new security technology like encryption or tokenization, Visa encourages all merchants to move toward dynamic data through the adoption of dual contact/contactless terminals.
Globally, Visa continues to support a range of cardholder verification methods (CVMs) including signature, PIN and no-signature for low-value, low-risk transactions, maintaining interoperability across those methods with technical standards, business rules and compliance programs. PIN usage will continue to depend on merchant terminal adoption, issuer activation and cardholder choice at the point of sale.
Layered Approach to Data Security
Visa has taken a comprehensive and layered approach to payments security with a dual focus: protecting card data wherever it is found in the payment eco-system, and making strategic investments in technologies that enable stakeholders to respond to compromises and prevent fraud. Examples include:
- Data Protection
- Drive global PCI DSS compliance. More than 76 percent of the world’s largest retailers have validated compliance with the security standard.
- Execute an effort to ensure that merchants do not store prohibited data elements, including card security codes and PIN data. Today, almost all Level 1 and 2 merchants globally have conformed to this practice.
- Support the adoption of contact EMV chip to introduce dynamic data used for authentication, thereby reducing data available for fraudulent use.
- Publish best practices on PAN elimination/truncation, tokenization and encryption, which are available at Visa.com/CISP.
- Technology Investments
- Develop the 3D-Secure payment infrastructure that is the backbone of Verified by Visa and is now used by American Express, JCB and MasterCard to facilitate dynamic authentication.
- Innovate network technology such as Visa Advanced Authorization, which uses transactional data to provide an instant risk-score to card issuers – right in the authorization message.
- Invest in CyberSource to deliver best-in-class fraud management services globally. CyberSource’s suite of products provides online retailers with tools to better manage and stop fraud before it happens.
Visa will provide technical guidance over the coming months to further support merchants, acquirers, processors and issuers as they consider adopting EMV chip technology.
About Visa Inc.: www.corporate.visa.com
December 22, 2010
SOURCE Visa Inc.