Visa's Global PCI Effort: Small Carrot, No Stick

GuestView Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

Visa, long the key driver of compliance with the PCI security standards, is helping to clear up merchant and service provider confusion regarding the global deadlines for PCI DSS compliance. Sept. 30, 2009, is the date when "global merchants and service providers" (who operate in more than one of the Visa-defined regions) must attest that they do not store full magnetic stripe data (track data), security codes or PIN data after transaction authorization.

Sept. 30, 2010, is the date by which all service providers and Level 1 merchants have to submit reports on compliance.

  • The significance of the announcement

    These deadlines will have the most impact in the Asia Pacific and Rest of World regions, since North American and European deadlines were earlier, and these new deadlines do not supersede the prior deadlines. (Editor's Note: As one Visa person commented, the situation is quite different in Central Europe, the Middle East and Africa: "There are no Level 1s there so it's not an issue.") QSAs and service providers who do business in AsiaPac say they have been looking for greater clarity on the deadlines to help drive interest in PCI compliance. But this is obviously only the first of a series of announcements.

    For example, the announcement only covers the prohibited data storage deadlines for Level 1 and 2 merchants and the compliance deadlines for Level 1 merchants. This announcement also collapses the service providers into two levels (with a 300,000 transaction break point), from the three that had been in use (and are still used in official standards documents).

  • How important is PCI compliance quality assurance?

    In the last year, there have been enough complaints about the PCI compliance review process to prompt the PCI Security Standards Council to create and publicize a new Quality Assurance process, which has the mission of doing detailed reviews of Reports on Compliance. But in its announcement of global compliance deadlines, there is the surprising statement that "Visa will only require submission of an executed Attestation of Compliance Form and the �Executive Summary' section of the service provider's Report on Compliance (ROC) to demonstrate full PCI DSS compliance as a Level 1 service provider."

    One possible implication of this is that Visa wants to ease the compliance process to get more service providers outside the U.S. on board, presumably hoping that once they have paid the typical $10,000 to $50,000 to a QSA for the review and the $5,000 annual registration fee to Visa, they will believe that this will give them "a competitive edge in promoting their services to Visa's global network of financial institutions and merchants." Visa is also hoping, one would guess, that these service providers will have a strong vested interest in promoting PCI compliance to the global merchant community.

  • Where are the penalties?

    In the "compliance business," two things are very important: deadlines and penalties for not meeting those deadlines. The Visa announcement addresses the first point, so we can expect that a future announcement will include clarification of the penalties for non-compliance, by merchant and service provider level. However, because the penalties are imposed through the acquiring banks, we must assume that Visa is still in the process of negotiating the fines and the process of imposing them with its member banks, particularly in Asia. Deadlines and penalties for Level 2, 3 and 4 merchants will also need to be spelled out in a future announcement.

  • Where are the banks?

    Perhaps the key driver of the success of the PCI DSS compliance efforts in the United States has been the coercive power of the Visa and MasterCard member banks, because of the banks' contractual relationship with the merchants. This model of passing PCI compliance mandates from the card brands to the banks and from the banks to the merchants has also been reasonably successful in Europe.

    But Asia has lagged behind. While it could be part of Visa's global "rollout" of PCI, region-by-region, Asia may also be lagging because of its more "merchant-bank-centric" business model. In Japan, this is known as a keiretsu. And although the term has faded from general usage as the Asian markets have evolved, the banking industry in most Asian markets is very dominant and relationships between merchant banks and larger merchants tend to be long-lasting.

    The point is that Visa needs to identify the right combination of positive and negative incentives to convince banks to leverage the "coercive potential" inherent in their close relationships with the Asian merchant community.

  • The Bottom Line

    This announcement has been needed for a while. The list of Asian service providers, referenced in the Asian version of the Visa announcement, indicates that most have been compliant for over a year. However, as we've heard in our interviews with Asian-based companies, they have been waiting for announcements that will push the merchant community to drive interest in compliance. Despite the global economic meltdown, this announcement should at least get some in the Asian merchant community to focus more on PCI compliance.

    If you want more information on this topic, the
    PCI Knowledge Base is hosting a Webinar on Global PCI Compliance on November 18. The main speaker will be Howard Glavin, the lead QSA for IBM's ISS security compliance team, who really knows the Asian (and the global) PCI business. Finally, we have a discussion forum about global compliance issues and another called "Ask a QSA." If you're a retailer, we want to get you involved in the PCI Best Practices study we're doing with the National Retail Federation. It's 100 percent anonymous. Just send us an E-mail at [email protected]