Visa to waive PCI DSS compliance validation for US merchants that deploy chip-enabled terminals

To qualify, terminals must be enabled to support both EMV contact and contactless chip acceptance, including mobile contactless payments based on near field communication (NFC) technology. Contact chip-only or contactless-only terminals will not qualify for the US program.

Qualifying merchants must continue to protect sensitive data in their care by ensuring their systems do not store track data, security codes or PINs, and that they continue to adhere to PCI DSS as applicable.

This is part of an effort by Visa to encourage US adoption of dynamic chip authentication technology. Visa explained that adoption of this chip technology will prepare the US payment infrastructure for NFC-based mobile payments.

Earlier this year, Visa offered a similar PCI DSS compliance waiver program to merchants outside the US.

Chip technology is expected to provide greater credit card payment security through the use of dynamic authentication. Visa said that chip technology reduces a criminal's ability to use stolen payment card data by introducing dynamic values for each transaction. Even if a credit card data is compromised, a counterfeit card would be unusable at the point of sale without the presence of the card's unique identifying elements.

"Dynamic authentication is the key to securing payments into the future. Adding dynamic elements to transactions makes account data less attractive to steal and takes more merchant systems out of harm's way, shrinking the battlefield against criminals. The migration to chip technology will be an important security layer and a critical step in a comprehensive strategy to use dynamic authentication across all markets and all channels", said Ellen Richey, Visa’s chief enterprise risk officer.

In addition, Visa will require US acquirer processors and subprocessor service providers to be able to support merchant acceptance of chip transactions no later than April 1, 2013. Chip acceptance will require service providers to be able to carry and process additional data that is included in chip transactions, including the cryptographic message that makes each transaction unique.

Also, effective Oct. 1, 2015, Visa will institute a US liability shift for domestic and cross-border counterfeit card-present point-of-sale (POS) transactions. Merchants who sell fuel will have an additional two years, before a liability shift takes effect for transactions generated from automated fuel dispensers.

Currently, POS counterfeit fraud is largely absorbed by card issuers. With the liability shift, if a contact chip card is presented to a merchant that has not adopted, at minimum, contact chip terminals, liability for counterfeit fraud may shift to the merchant's acquirer. The liability shift is designed to encourage chip adoption since any chip-on-chip transaction (chip card read by a chip terminal) provides the dynamic authentication data that helps to better protect all parties.

The US is the only country in the world that has not committed to either a domestic or cross-border liability shift associated with chip payments, according to Visa.

What’s hot on Infosecurity Magazine?