Last October, Visa announced a plan to increase payment security among small merchants in the U.S. and Canada. The company recently released an update (PDF) adjusting the deadline for compliance in order to give acquirers and merchants more time to shift their business practices and priorities.
Level 4 merchants now have until January 31, 2017
Visa’s announcement in October stated that effective March 31st, 2016, acquirers must require that newly boarded Level 4 merchants use only Payment Card Industry-certified qualified integrators and resellers (PCI QIR) for POS terminals and software. That deadline has been extended to January 31st, 2017. Acquirers must communicate with small merchants about this deadline by March 31st of this year. The following additional deadlines in the original announcement remain unchanged:
- Effective January 31, 2017 – acquirers must ensure that Level 4 merchants using third parties engage only PCI QIRs
- Effective January 31, 2017 – acquirers confirm that small merchants evaluate their PCI DSS compliance on an annual basis unless participating in the Technology Innovation Program
The Visa Technology Innovation Program
With these increased security validation requirements, Level 4 merchants are eligible for the Visa Technology Innovation Program (TIP). Merchants who use EMV technology or point-to-point encryption solutions that have been validated by the PCI Security Standards Council most likely will not have to participate in the annual PCI DSS compliance assessment.
To qualify for the TIP, merchants must:
- Confirm that sensitive authentication data are not stored after transaction authorization
- Ensure that at least 75 percent of all transactions originate through EMV terminals or a P2PE solution validated by the PCI SSC.
Why Visa is Increasing Security Measures
According to the company, recent investigations have shown that hackers continue to attack small merchants. Level 4 merchants — companies that generate 1 million or fewer Visa transactions annually or fewer than 20,000 e-commerce transactions — don’t grab headlines when they experience a breach, but it happens more often than you might think. Visa figures show that small merchants account for around 93 percent of all data breaches, the highest number of which occur in the U.S. and Canada. The company expands on this in its announcement:
“forensic reports note security protocol gaps in remote access services that integrators and resellers use to provide monitoring and software support (e.g., default or shared remote access IDs without two-factor authentication or regular password changes). For merchants, these gaps create a significant risk of payment data compromise through malware exposure.”
According to Visa, around 80 percent of data breaches at Level 4 merchants are due to faulty POS installations, servicing, and integrations by third parties. The new requirements will increase payment security and provide additional incentive for small merchants to protect their data.
Don’t know where to start for PCI Compliance? Download LBMC Security’s Free PCI Guidelines Explained Whitepaper.