Escape hatch, by rubber paw

Interesting note from Visa yesterday. They have given non-US merchants an escape hatch (Visa Europe’s version is here and differs from the Visa Inc. version in several ways) for validating PCI DSS compliance annually if they meet four specific requirements:

  1. The merchant must have validated PCI DSS compliance previously or have submitted to Visa (via their acquirer) a defined remediation plan for achieving compliance based on a gap analysis. Visa Europe provides a separate procedure: Merchant must have: previously satisfied PCI DSS compliance validation by completing milestones 1-4 of the Payment Card Industry’s Prioritised Approach for PCI DSS OR have previously completed milestone 1 of the Payment Card Industry’s Prioritised Approach for PCI DSS and conducted a PCI DSS gap analysis against milestones 2, 3 and 4. The merchant must have an agreed action plan in place with their acquirer to actively address all identified gaps within a specified time-frame.
  2. The merchant must have confirmed that sensitive authentication data (i.e., the full contents of magnetic stripe, CVV2 or PIN data) is not stored, as defined in the PCI DSS.
  3. At least 75 percent of the merchant’s face to face transaction count (95% if you are in Europe, per Visa Europe’s rules) must originate from enabled chip-reading device (or Chip & PIN, EMV) terminals (i.e., contact and/or dual interface contact/contactless terminals).
  4. The merchant must not be involved in a breach of cardholder data. A breached merchant may qualify … if it has subsequently validated PCI DSS compliance.

They go on to say in the release that merchants must still maintain their PCI compliance, but as merchants have demonstrated in the past, I believe this will become a “compliant until compromised” type situation. With a diligent implementation of EMV and close watch on their systems, maybe it won’t be too much of an issue.

What is interesting to me is that this is a Visa only bulletin. What if you accept MasterCard or Discover transactions? You may be subject to reciprocity rules and you would still need to validate. What if you accept enough American Express or JCB transactions to qualify for an annual assessment? Still need to do it.

My guess is this is one way for Visa to save face with the global community after announcing global fines which theoretically should have started last October.

Update: Added specific distinctions between Visa Inc. and Visa Europe’s version of the TIP.

This post originally appeared on