Visa PCI compliance program set for small merchants

Visa USA has developed a program designed to help improve data security among small retailers and comply with the industry’s Payment Card Industry Data Security Standard. More than 80% of all identified consumer compromises since January 2005 occurred at Level 4 merchants, Visa says. Level 4 companies are those that generate fewer than 20,000 Visa e-commerce transactions—or 1 million total Visa transactions—annually.

Level 4 merchants handle less than one-third of transactions in the Visa system but represent more than 99% of the merchants that accept Visa cards, according to the Electronic Transactions Association.

IRCE 2008 Conference Multi-Media CD-ROM

“Data security breaches involving payment card information occur at small businesses more frequently than at all other merchant levels combined,” says Michael E. Smith, senior vice president, enterprise risk and compliance at Visa USA. “We are committed to working with our acquirers and their small business customers to get ahead of this growing vulnerability.”

Visa’s program calls for acquiring financial institutions, those that process transactions for merchants, to strengthen their existing data security efforts to identify and address risks among small merchant customers. That includes identifying whether merchants are storing sensitive account data and are complying with the industrywide PCI security standard. Visa requires all entities that store, process or transmit Visa cardholder data to comply with the PCI standard, and MasterCard and other major payment brands have similar rules. Visa’s focus to date has been on the largest merchants, however.

Specific deadlines for compliance among Level 4 retailers have not been set, but Visa acquirers are required to provide Visa with a summary of their small merchant compliance plans by July 31. As part of their plans, acquirers must describe how they will identify the greatest potential security risks in order to manage them, Visa says. Factors such as the likelihood of sensitive data retention, transaction volume, market segment, acceptance channel, number of locations and other factors can help qualify or quantify a merchant’s risk level. They also may be used by acquirers to categorize merchants into specific risk groups.

Businesses should evaluate all cardholder data that they store and consider the business case for doing so, Smith says. Visa has embarked on a campaign to educate merchants about cardholder data security, emphasizing the theme “don’t store it if you don’t need it,” Smith says. “Minimizing data storage is the easiest thing a small business can do to mitigate risk.”

The highest priority Visa is asking acquirers to address is verifying that small businesses are not retaining prohibited cardholder data—including magnetic stripe data and PIN data—after transaction authorization. “This is precisely the kind of data most sought by hackers because of its use in counterfeiting payment cards,” Smith adds.