Visa sets APAC card security deadlines

Visa has announced deadlines for Payment Card Industry Data Security Standards, with providers processing over 300,000 transactions a year given until February 1 to register compliance and join its $5000-a-year list of verified safe providers.

The Payment Card Industry Data Security Standard (PCI DSS) sets out the technology and data security requirements for merchants that accept credit cards - particularly those that store customer credit card details in an electronic format.

It was formulated by five major credit card companies and its data security standards became mandatory for organisations that handle online credit card payments from June 30.

Visa, which operates the world’s largest retail electronic payment network, says it has created a consistent framework for compliance among merchants, service providers and their agents. This includes a global set of requirements for merchants to validate compliance with PCI DSS, as well as dates for the largest merchants to reach full compliance.

Deadlines have also been set for large and mid-level merchants to demonstrate they are not storing certain types of sensitive card data.

In Asia Pacific, Visa has a Registry of Service Providers launched in November 2008 for payment service providers to report PCI DSS compliance. Visa charges an annual registration fee of US$5000 to registered service providers and says registered providers will have a competitive edge in promoting their services to Visa’s global network of financial institutions and merchants.

“Compliance with PCI DSS is vital to ensuring the integrity of the global payments system,” said Mike Smith, regional head of Risk Management, Asia Pacific for Visa. “Aligning compliance programmes across the Visa regions is the latest step in our commitment to safeguarding cardholder data.”
Validation requirements vary based on factors such as transaction volume, with Merchants processing over 6 million Visa transactions annually (Level 1) required to file an annual compliance report as assessed by a qualified security assessor and submit to a quarterly network scan by Approved Scan Vendor.

Merchants processing 1 million to 6 million transactions (Level 2) must submit an annual self assessment and a quarterly network scan. All merchants must undergo a quarterly network scan.

From September 30, 2009 Visa will require Level 1 and 2 merchants cease retaining sensitive payment card data such as full magnetic stripe, security codes or PIN data after transaction authorization.

“Hackers are looking for this type of data because of its use in counterfeiting payment cards, and that is why Visa prohibits its storage,” said Smith.

After the deadline, Visa will impose risk controls including fines for failure to provide confirmation to Visa that each of the acquirer’s Level 1 and 2 merchants do not retain prohibited data.

Finally, Visa will require acquirers to prove each of their Level 1 merchants have demonstrated validated full PCI DSS compliance by September 30, 2010.