"This is absolutely a different tactic," said Jennifer Fischer, a director with Visa USA, which is the nation's largest payment system company. "We believe that incentives are necessary to achieve compliance. This is the first time a payment card brand has used positive incentives" to encourage security compliance.
The need for such a change is clear, as the pain/punishment tactic has been ineffective, with Visa confirming on Tuesday that only 36 percent of their largest merchants?the Level One retailers?have complied and that number drops to a mere 15 percent for Level 2 merchants. "It's clearly not where we want to be," said Eduardo Perez, Visa's VP for payment system risk.
Level 3 compliance is at "approximately 30 percent and another 30 percent havecompleted the initial assessment" while Level 4 includes about six million retailers and has been a recent focus "so we don't have statistics to break down yet," Fischer said.
Fischer said the new program?called the Visa PCI Compliance Acceleration Program (PCI CAP)?will give the money to acquiring banks who "will determine the distribution of funds," which means not all?nor necessarily any?of the money will actually get into the hands of the retail IT departments responsible for delivering the PCI compliance.
The program's stated goal is "to eradicate the storage of full-track data, CVV2 and PIN data," according to a statement issued Tuesday by Visa.
To qualify for an incentive payment, acquirers of Level 1 and 2 merchants who have validated full PCI compliance by March 31, 2007 will be eligible to receive a one-time payment for each qualifying merchant. Acquirers whose Level 1 and 2 merchants validate compliance after March 31, 2007, and prior to August 31, 2007 will be eligible to receive a reduced one-time payment for each qualifying merchant.
Acquirers will also be required to validate Level 1 and 2 merchant compliance with PIN security standards. Specifically, Visa said, merchants must not use payment devices, such as PIN pads, that "are known to be vulnerable to compromise and that merchants use unique encryption keys for every device. Additionally, acquirers must demonstrate the establishment of a comprehensive compliance program for Level 3 and 4 merchants."
To further get retailers' attention, Visa is also withholding lower credit card interchange rates for those who do not get PCI compliant as of Oct. 1, 2007.
Visa officials also released updated stats on their stick (versus carrot) efforts, saying that 2006 has seen $4.6 million in fines levied, which is roughly 35 percent more than last year's total fines of $3.4 million.
Mark Rasch, a former federal prosecutor specializing in white collar crimes and now a retail security consultant, said the reward system Visa announced is a good first step as it's the more complicated and sophisticated response to the PCI compliance problem. "It's a lot easier to punish someone for a failure than to come up with a metric for success," he said.
But he had two concerns. The first is whether the new compliance will actually make retailers and their consumers any safer. "The problem is that the definition is being PCI compliant. Being secure is not the same as being compliant," he said. "Security is usually the bastard stepchild of IT. It's an afterthought."
His second concern is that the incentives are not being paid directly to retailers. "It's out of whack, between the people who mess up and those who have liability," he said.