Visa Waives PCI Assessment For Chip-And-PIN Users <i>Outside</i> The U.S., Tweaks U.S. For Payment Law

Visa on Wednesday (Feb. 9) rolled out a new security program to push global use of EMV technology, which Visa is no longer calling Chip-and-PIN, opting to instead use the even less-catchy "chip and dynamic data authentication." The program will allow retailers who push at least 75 percent of their transactions through EMV to avoid the always fun-filled annual PCI DSS revalidation assessment.

Alas, the program is not being offered for U.S. retailers. Even though such an exclusion requires little explanation beyond the obvious (no U.S. retailer is using EMV in meaningful numbers, nor have any said they would any time soon), Visa took the opportunity to not-so-subtly attack Congress and the White House for new payment card regulations.

"Despite industry interest in chip and dynamic data authentication, the program is not currently available in the United States because recent debit card regulation has cast uncertainty in the marketplace," a Visa statement said, without specifying the nature of the industry interest. There's been a lot of retailer interest, for example, but that hasn't translated into meaningful retail deployments.

The statement then offered a quote from Bill Sheedy, a Group Executive for the Americas at Visa, who said the legislation would make banks stop R&D projects.

"With the United States facing government price controls on debit and restrictive routing and exclusivity rules, it is not feasible or appropriate to drive the market toward major infrastructure investments, especially in an environment where financial institutions could lose billions in revenue as a result of the regulation," Sheedy said. "With such a dramatic potential for revenue loss, financial institutions will likely curtail investments in future innovations."

Isn't it just as likely that financial institution executives will push for more such investments, because they hope to find technology that will deliver less expensive and more efficient ways of doing what they need to do? Besides, did bank investment projections actually have anything to do with the decision to not deploy an EMV program in a country with almost no EMV?

Either way, Visa did offer the possibility of adding the EMV program to the U.S. some day. "Visa may consider implementation of [the program] in the United States at a later date based on evolving environmental circumstances," said a Visa Bulletin. Is that a reference to increased EMV acceptance among retailers or the government's embrace of a series of more Visa-friendly payment rules? (Yeah, we'll vote for marketshare, too.)

The global program itself is called the Technology Innovation Program (TIP) and has fairly straightforward requirements: "Terminals must be enabled for contact or dual contact and contactless interface chip acceptance. All merchants outside of the United States are eligible and may begin qualifying for the new program from March 31, 2011. Visa Europe has announced a similar program."The statement offered a rather robust defense of EMV security. "Visa has repeatedly underscored the need for authentication solutions to move to dynamic data technologies such as EMV chip," said Ellen Richey, Chief Enterprise Risk Officer at Visa Inc. "Although Visa's global fraud rate remains at an all-time low of less than 6 pennies out of every $100 transacted, we believe the future of security lies in dynamic data. Our experience suggests that as markets move to chip they become less vulnerable to counterfeit fraud and, ultimately, to mass data compromise attacks."

Retailers under the program would certainly not be rid of PCI requirements. Merchants must have validated PCI compliance before entering the program and must still comply with all PCI rules. The merchant can not have been involved in a breach of cardholder data.

A Visa Bulletin makes explicit the need to maintain compliance. "Although Visa may waive the annual validation requirement for qualifying merchants, all merchants are still required to maintain on-going PCI DSS compliance. Acquirers retain full responsibility for merchants' PCI DSS compliance, as well as responsibility for any fees, fines or penalties, which may be applicable in the event of a data breach. Visa reserves the right to require full PCI DSS validation of compromised entities," the Bulletin said. "If risk conditions change dramatically, Visa may re-evaluate the need for merchants to validate PCI DSS compliance."

PCI compliance is a hassle for retailers worldwide, but the U.S. has been pushing these issues the longest and, according to Visa, has much higher PCI compliance stats. For Level 1 chains in the U.S., for example, Visa reports that 96 percent are compliant. The same figure for Level 1 chains outside the U.S., according to Visa, is 76 percent. Both figures were current as of Dec. 31, 2010.

Wal-Mart made waves in May 2010, when it started a very public push to get other retail chains to start using EMV. Since then, though, no major chains have endorsed an EMV and Wal-Mart itself—even though its POS systems can now accept EMV transactions—has not recently done anything public to encourage EMV, other than with its stores bordering Mexico and Canada, two countries that do use EMV.

The problem is complicated and has more than a little bit of a chicken-and-egg dilemma, with retailers having little reason to embrace EMV until more consumers have it in their wallets. And without a retail push, few banks are pushing the issue on their own. Ironically, a program like TIP in the U.S. might have been just the thing to push both sides to make EMV happen. Is Visa letting politics and pride cloud its objective to push EMV in the U.S.?