Reaction to Visa’s TIP Considers Several Angles

PCI assessor and blogger at StoreFrontBackTalk Walt Conway provides some additional thoughts on Visa’s recently-announced TIP program. This program relaxes annual PCI validation requirements for non-US merchants, as long as 75% of those merchants’ Visa payments are processed on EMV-compliant terminals. Conway examines the possible long-term implications of the exclusion of US merchants from TIP. Conway opines that either the initiative will be stimulative to US EMV migration, or it will further isolate the US from the rest of the world, which tends to see PCI compliance as a US-focused issue. Along the way, Conway raises several other issues of considerable interest…

Visa’s bulletin goes to great lengths to emphasize that merchants still need to be PCI compliant at all times. To me, that means those merchants still need quarterly vulnerability scans, annual penetration testing, daily log reviews and all the other ongoing daily, weekly and monthly PCI compliance actions.

The same fees, fines and penalties as exist today will apply. And should a merchant’s “risk conditions change dramatically,” Visa can boot that merchant (or class of merchants?) out of TIP and go back to requiring annual compliance assessments.

TIP, therefore, may put acquirers in an uncomfortable position. Under TIP, Visa is going around its acquirers and telling merchants directly that they don’t need to re-validate PCI compliance. Visa continues, however, to hold the acquirer responsible for any data breach. If I were an acquirer and a card brand told my merchant it didn’t have to re-validate PCI compliance and that merchant got breached, I would not be too happy about getting fined and then having to pass that fine on to my merchant.

Read the Full Blog Post: http://storefrontbacktalk.com/securityfraud/u-s-retailers-should-watch-visas-tip/