Visa’s bulletin goes to great lengths to emphasize that merchants still need to be PCI compliant at all times. To me, that means those merchants still need quarterly vulnerability scans, annual penetration testing, daily log reviews and all the other ongoing daily, weekly and monthly PCI compliance actions.
The same fees, fines and penalties as exist today will apply. And should a merchant’s “risk conditions change dramatically,” Visa can boot that merchant (or class of merchants?) out of TIP and go back to requiring annual compliance assessments.
TIP, therefore, may put acquirers in an uncomfortable position. Under TIP, Visa is going around its acquirers and telling merchants directly that they don’t need to re-validate PCI compliance. Visa continues, however, to hold the acquirer responsible for any data breach. If I were an acquirer and a card brand told my merchant it didn’t have to re-validate PCI compliance and that merchant got breached, I would not be too happy about getting fined and then having to pass that fine on to my merchant.
Read the Full Blog Post: http://storefrontbacktalk.com/securityfraud/u-s-retailers-should-watch-visas-tip/