Utter the acronym PCI to a retailer and you’ll likely stimulate a conversation that could range from “What is it?” to “It’s a pain in the keister.”
PCI is shorthand for the Payment Card Industry Security Standards Council and its data security standards. All retailers that accept payment cards must comply with the council’s mandates to protect sensitive cardholder data. Compliance can be expensive, requiring annual and quarterly reporting in some cases and ongoing cost to maintain a secure payment system. The benefit is secure protection of cardholder data, ideally reducing the prospect of fraud or, worse, a major theft of that data.
Now, because of a desire to foster mobile payments, Visa Inc. will have an option to help retailers, especially those accepting mobile payments in their stores, alleviate some of the compliance requirements.
Visa’s plan, closely tied to its announcement earlier this month to accelerate smart card acceptance in the United States, will eliminate the annual PCI compliance mandate for retailers sending at least 75% of their Visa transactions through a chip-enabled payment terminal. The caveat here, and the spur for mobile payment adoption, is that terminals must accept two types of chip-based payments. One is the conventional contact smart card chip embedded in many payment cards around the world. In some nations, a consumer enters a PIN into a payment terminal once the cardholder inserts the card into the terminal. In the United States, Visa says consumers may use a PIN or signature to verify the transaction. The second is the kind of contactless transaction in which a consumer taps on the terminal or holds close to it a chip card or smartphone with a contactless chip (such as those using Near Field Communication technology) near the terminal to communicate account information stored on the chip. Called the Technology Innovation Program, it is not slated to start until Oct. 1, 2012.
What I find interesting about this plan is how it differs from the card brands’ efforts in the mid-2000s to spur contactless payments. Other than some clever advertising and a new symbol to affix to payment terminals, there was no incentive for merchants, especially smaller ones, to participate.
While some larger retailers were able to find the money to buy contactless readers, many smaller ones had little incentive to do so. There was no transaction price incentive. They received no money to buy the equipment. And despite some high-profile banks like JPMorgan Chase that splashed its Blink contactless card everywhere, the number of contactless cards was scarce. Why would a retailer buy equipment that might go unused on the countertop? In the past I saw contactless readers tucked out of the way to free up room to display impulse purchase items by the cash register.
Today, Visa has a different tack. Rather than leave mobile payment acceptance strictly up to the merchant, Visa hopes the carrot of reduced PCI compliance costs can persuade merchants to update their payment terminals. If merchants do that, Visa potentially gains a vastly larger number of merchants where consumers can make mobile payments and other mobile transactions, such as redeeming a coupon.
Fascinated as I am about the prospect of using my phone for more than phone calls and playing Angry Birds, I’m still going to wait and see.