BreachExchange mailing list archives
Visa Introduces Non-U.S. PCI Relief to Push EMV, Pays $190 Million for PlaySpan
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Thu, 10 Feb 2011 21:13:00 -0500
http://www.digitaltransactions.net/news/story/2919 Visa Inc. on Wednesday said it will relieve merchants outside the U.S. of the requirement to validate compliance with the Payment Card Industry data-security standard (PCI) if the merchants process at least three-quarters of their Visa transactions from chip-enabled terminals. In a busy day at the world’s largest payments network, Visa also announced it is shelling out $190 million in cash to buy PlaySpan Inc., a Santa Clara, Calif.-based processor of digital-goods transactions, particularly so-called in-game payments. The new PCI policy, intended as in incentive to speed up deployment of so-called Europay-MasterCard-Visa (EMV) chip-and-PIN systems, apparently represents the first time a major card network has offered to lift the PCI-validation requirement from merchants’ shoulders since data-security standard was introduced six years ago. Though effective in combating data breaches if followed rigorously, PCI and its complex rules often provoke protests from merchants trying to stretch scarce resources over a wide range of functions. But Visa is pointedly excluding the U.S. market from its new policy, which it calls its Technology Innovation Program, citing uncertainties created by the Durbin Amendment to the Dodd-Frank Act. That law, along with implementing rules proposed by the Federal Reserve, will drastically cut the debit card interchange income flowing to issuers. While the amendment makes allowances for issuers’ fraud-fighting expenses, how costs for EMV and other such technologies might ultimately be incorporated into the Fed’s rules remains unclear. The Fed released its proposal in December and is expected to issue final rules by April 21. Many regions of the world, including, most recently, Canada, have rolled out or are starting to rollout EMV, a technology that ultimately replaces magnetic stripes with chips that store and protect cardholder credentials. A security technology that works with EMV, and one that Visa has been heavily promoting, is dynamic data authentication. With this technology, the chip transmits back to the issuer a cryptographic message that authenticates the card as genuine. The message changes with each transaction, so it is useless if intercepted. The Technology Innovation Program is intended to give merchants an incentive to install and use EMV by relieving them of the costs and hassles of PCI-compliance validation, Visa says. “It wasn’t prompted out of concern for the rate of adoption, although we want to accelerate the rate of adoption [among merchants] that have decided to adopt EMV technology,” Eduardo Perez, head of global data security at Visa, tells Digital Transactions News. To qualify for the program, a merchant must have installed and enabled chip-reading terminals. “The terminal has to be enabled, it can’t just be capable,” says Perez. The merchant must also: have previously validated its PCI compliance or have submitted a plan to do so; not have sustained a data breach recently; not store card data; and comply with PCI, even if it no longer has to prove that it does. While leaving out the U.S. market might seem at first glance a glaring omission, Perez says lack of clarity about how issuers’ security investments will be allowed for against the Fed’s stringent debit card interchange caps makes it difficult to ask banks to take on EMV costs. Merchants would buy and install chip card readers, but banks would have to issue chip cards to replace mag-stripe cards. Because of Durbin, “it’s unfeasible at this point to move the [U.S.] market in that direction,” Perez notes. [..] _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Learn encryption strategies that manage risk and shore up compliance. Download Article 1 of CREDANT Technologies' The Essentials Series: Endpoint Data Encryption That Actually Works http://credant.com/campaigns/realtime2/gap-LP1/
Current thread:
- Visa Introduces Non-U.S. PCI Relief to Push EMV, Pays $190 Million for PlaySpan Jake Kouns (Feb 10)