And finally, my conversation with John Verdeschi, Senior Business Leader, Payment Systems Integrity will wrap up my interviews and posts from the PCI Community Meeting that happened two weeks ago in Scottsdale, AZ. MasterCard is widely known as a major influence in the payment industry and is the number two player in the market behind Visa. If you have ever had to hire an Approved Scan Vendor (ASV) or filled out a Self-Assessment Questionnaire (SAQ), you can thank MasterCard as both of those items are largely distilled from their Site Data Protection (SDP) program.

One of the first things that I had to ask about was how MasterCard’s new PCI DSS Risk-Based Approach framework compared to Visa’s Technology Innovation Program (TIP) and EMV strategy for the US.

Risk, by Fayjo

“Our risk based approach is not necessarily to accelerate EMV [deployments], but to recognize the inherent value that chip brings, and to recognize that merchants who adopt chip have lowered their profile of risk,” said Verdeschi. Based on this lower risk profile, MasterCard will provide some flexibility in how merchants validate their PCI DSS compliance.

MasterCard intends to align with the volume requirements that Visa, Inc. and Visa EU have set forth to qualify for the TIP program, but the actions associated with meeting the minimum criteria are different. One key difference is that MasterCard’s program does not provide any flexibility for US merchants at this time.

From their document, the criteria to participate in this program are for non-US merchants are (cleaned up with minor edits):

  • The merchant is classified as a MasterCard Level 1 or Level 2 merchant based on the SDP Program criteria,
  • The merchant has implemented EMV chip acceptance at its face-to-face point-of-sale (POS) terminals,
  • The merchant must have certified that it is not storing sensitive card authentication data (such as the full contents of the magnetic stripe, card validation code 2 [CVC 2], or the PIN block) as defined in requirement 3.2 of the PCI DSS,
  • The merchant must have fully segregated its card-not-present (CNP) environment from its face-to-face environment,
  • For a merchant located in the MasterCard Europe region, at least 95 percent of the merchant’s annual total combined MasterCard and Maestro face-to-face POS transaction count must originate from EMV chip-enabled devices (that is, the terminal must have a valid and current EMV approval and be capable of processing EMV chip transactions),
  • For a merchant located in any MasterCard non-Europe region outside of the U.S. region, at least 75 percent of the merchant’s annual total combined MasterCard and Maestro transaction count must originate from EMV chip-enabled devices,
  • The merchant must not have been involved in a compromise within the last 12 months. MasterCard may waive this criterion if the merchant can validate that it was fully PCI DSS compliant at the time of the compromise event, and
  • The merchant must establish and annually test an incident response plan that outlines the steps to take in the event of a suspected compromise.

While Visa’s TIP includes contactless payments as part of their eligibility requirements, MasterCard focuses only on the EMV or chip capability.

For countries that have adopted EMV technology, they have benefited from a “dramatically lowered … risk of counterfeit fraud,” said Verdeschi.

While Visa and MasterCard differ on the level of validation that needs to happen to qualify for their respective programs, MasterCard said that it would base its criteria on completing milestones 1-4 of the PCI DSS Prioritized Approach. “When we look at forensics reports in account data compromise situations—especially in chip markets—what we found is that milestones 1-4 provide a very good baseline for preventing compromise in EMV situations,” said Verdeschi.

checklist, by Alan Cleaver

But when it comes down to actions, MasterCard does not offer the escape hatch that Visa does by removing the requirement to submit to an annual validation. In the case of a Level 1 merchant, “the very first time you validate it has to be through a QSA, and from there on out, you still need to annually validate but you can do so with a SAQ,” said Verdeschi.

According to Verdeschi, their customers (especially acquirers) saw the annual validation requirement for merchants to be a very important process. “Our program requires merchants to validate annually,” said Verdeschi.

EMV does not solve all of the data security challenges, what it does is it very effectively lowers overall fraud because it addresses the risk of counterfeiting, said Verdeschi. In this post from the Retail Payments Risk Forum, Douglas King acknowledges that EMV deployments shift fraud from card-present transactions to card-not-present transactions specifically citing facts from Canada, a country that recently went through the EMV push.

It seems to me that a rule change by the payment brands could dramatically reduce card-not-present fraud in the same way that EMV reduces card-present fraud. If all merchants were required to submit the secondary authentication data, sometimes called CVV2, CVC2, or CID, then the data exposed during an EMV transaction would be essentially useless. I can’t remember the last online transaction I performed that did not require the secondary authentication data, but that doesn’t mean you can’t push a transaction through the system without it. That said, “within the system there are incentives for conducting authenticated transactions,” said Verdeschi.

Some countries already have strong recommendations or regulations to this effect. If the US rolled out a similar rule change in conjunction with EMV, I imagine we’d see a double dose of fraud reduction. Unfortunately, MasterCard’s current program does not include participation from US merchants. Visa started out the same way though, so I would expect as we see capabilities around EMV mature in the US, their stance on the Risk-Based Approach will adapt as well.

See also: A Conversation with Bob, Troy, and Jeremy, and A Conversation with Visa.

This post originally appeared on

Possibly Related Posts: