by Paul Prior, SVP Client Engagement
Much has been written over the past number of months in the payments industry regarding the adoption of EMV in the US and yet there remains an unfortunate misconception that its introduction means that PCI DSS “goes away”.
The reality however is that this is not the case and that the EMV and PCI standards need to coexist and operate within a multi-layered industry framework for ensuring card data and transaction security.
While there is no doubt that EMV can substantially reduce counterfeit fraud, it does not automatically satisfy PCI DSS requirements for the protection of cardholder and sensitive authentication data. The PCI SSC published a detailed guidance document on the matter as long ago as 2010.
The misconception appears to have originated from an incorrect interpretation of the fact that certain card brands (VISA for example) have waived the requirement for merchants to annually validate their PCI DSS compliance in specific circumstances. Importantly though, the mandate for merchants to remain complaint has not been rescinded.
Indeed in a recent update from VISA on the Technology Innovation Programme (or TIP) dated 26th March 2015 they reiterate this notion with respect to merchants PCI DSS Compliance Requirements in stating “Although Visa may eliminate the annual validation requirement for TIP-qualifying merchants, all merchants are still required to maintain ongoing PCI DSS compliance.”
The resulting question for acquirers in the US is what becomes of our merchant compliance programme..? The aforementioned publication also states, “Acquirers retain full responsibility for merchants’ PCI DSS compliance… If risk conditions change in any market, Visa may re-evaluate the need for merchants to validate PCI DSS compliance.
In addition, Visa may rescind participation in TIP if it determines that a participant does not meet all program requirements.” This would suggest that the acquirer still has a responsibility to monitor and manage both the risk profile of their overall portfolio and of individual merchants in this context.
Indeed it may be possible to leverage an existing compliance programme to educate merchants, espouse the benefits and encourage the adoption of EMV.
The issue then becomes more about whether or not the acquirer’s compliance program is flexible enough to incorporate the card brands’ waiver programs as well as maintaining a capability to appropriately manage merchant risk and track changes to merchant processing environments.
In the UK for example, where EMV has been the norm for over a decade, all of the acquirers in the market still run and maintain merchant compliance programs albeit with somewhat less of a PCI DSS centric message.
The prevalent view is that while EMV undoubtedly has its benefits, equally there are legitimate and valuable business reasons for implementing merchant compliance programs where the message of data security education and awareness is emphasised and the opportunity to interact with merchants regarding their technology environment and associated risk profile is not wasted.
If you are a merchant that requires technical or PCI DSS help, please click here