Visa made a few new changes public yesterday on their Key Program Dates for their Cardholder Information Security Program. It’s been a Visa heavy month as we watch them push EMV here in the US. Two other posts you should read:
Now, what did Visa announce yesterday? It looks like the Technology Innovation Program (TIP) is coming to the US. But as you already know (because you read the second post above), this doesn’t matter to you. From this release:
Effective 1 October 2012, Visa will expand the Technology Innovation Program (TIP) to the U.S. TIP will eliminate the requirement that eligible merchants annually validate their compliance with the PCI DSS for any year in which at least 75 percent of the merchant’s Visa transactions originate from dual-interface EMV chip- enabled terminals, in addition to meeting other qualification criteria.
Interesting. So it looks like they are sticking with the 75% of payments originating from dual-interface terminals
(as opposed to the 95% from Visa EU). So now that all of you merchants out there are freaking salivating all over myself as I think about a tasty steak dinner, what do you have to do to qualify for this program in the US? Four things:
- Validate PCI DSS compliance within the previous 12 months or have submitted to Visa (via their acquirer) a defined remediation plan for achieving compliance, based on a gap analysis.
- Confirm that sensitive authentication data (i.e., full contents of magnetic stripe, CVV2 and/or PIN data) is not stored, as defined in the PCI DSS.
- At least 75 percent of the merchant’s total transaction count must originate from dual-interface (contact / contactless) enabled chip-reading device terminals.
- The merchant must not be involved in a breach of cardholder data. A breached merchant may qualify for TIP if they have subsequently validated PCI DSS compliance.
So there it is. Visa done killed off the PCI Assessment. Of course, most of you out there take more than just Visa cards, so it really doesn’t matter much to you, does it?
In addition to this, there were two other interesting documents with deadlines. By April 1, 2013, processors must be able to support chip acceptance, and there will be a liability shift in the US to merchants that DON’T use dual-interface terminals on October 1, 2015. That’s a date to stick in your technology refresh cycle.