Visa USA Pledges $20 Million in Incentives to Protect Cardholder Data

Visa USA today announced it will offer $20 million in financial incentives and create new sanctions in an effort to further merchant compliance with the Payment Card Industry Data Security Standard (PCI DSS). The new effort, called the Visa PCI Compliance Acceleration Program (PCI CAP), is the first of its kind to provide positive reinforcement to the industry’s traditional, fine-only approach. Visa PCI CAP represents one component of Visa’s comprehensive strategy to address payment card fraud.

“Locking down cardholder data is an important security component that will benefit financial institutions and merchants, and is equally important to maintain consumer trust in Visa,” said Michael E. Smith, senior vice president of Enterprise Risk and Compliance at Visa USA. “By combining both incentives and fines, we expect acquirers to increase their efforts with merchants to accelerate their progress toward becoming PCI compliant and eliminating the storage of sensitive card data. Nothing is more important to Visa than securing commerce.”

The program targets the acquirers responsible for the largest 1,200 merchants – known as Level 1 and 2 merchants – that each process more than one million Visa transactions a year and combined account for approximately two-thirds of Visa’s U.S. transaction volume. The initiative’s goal is to eradicate the storage of full-track data, CVV2 and PIN data, and grow PCI compliance among this group of merchants. Visa reports current PCI compliance among Level 1 merchants at 36 percent and 15 percent among Level 2 merchants, with the majority in both levels actively working toward compliance.

Incentives for PCI Compliance

Visa is investing up to $20 million in an incentive fund payable to the acquiring financial institutions of the largest U.S. merchants who have already or will validate PCI compliance by August 31, 2007, and have not been involved in a data compromise. In addition, Visa will link the benefits of tiered interchange rates to PCI compliance, creating an additional security incentive for acquirers of large merchants.

To qualify for an incentive payment, acquirers of Level 1 and 2 merchants who have validated full compliance with the PCI DSS by March 31, 2007 will be eligible to receive a one-time payment for each qualifying merchant. Acquirers whose Level 1 and 2 merchants validate compliance after March 31, 2007 and prior to August 31, 2007 will be eligible to receive a reduced one-time payment for each qualifying merchant.

Acquirers will also be required to validate Level 1 and 2 merchant compliance with PIN security standards. Specifically, merchants must not use payment devices, such as PIN pads, that are known to be vulnerable to compromise and that merchants use unique encryption keys for every device. Additionally, acquirers must demonstrate the establishment of a comprehensive compliance program for Level 3 and 4 merchants.

Effective October 1, 2007, acquirers whose transactions qualify for lower interchange rates available in the Visa and Interlink tiers must ensure that the merchants generating the transactions are PCI compliant in order to receive this benefit.

Acquirers are encouraged to use the incentives to fund merchant security compliance programs.

Fines for PCI Compliance and Data Storage

Visa’s PCI CAP will build on the company’s current enforcement efforts, which include acquirer fines for data compromises involving merchants of any size. Fines are also assessed on acquirers that have failed to confirm that full track data is not retained or that did not provide a PCI compliance plan for their Level 1 merchants by September 30, 2006. In 2006, Visa levied $4.6 million in fines, up from a 2005 total of $3.4 million.

This new program sets an enforcement date for acquirers to validate PCI compliance for Level 1 and Level 2 merchants. Additionally, Visa is adding new fines to acquirers whose Level 2 merchant customers retain full-track data, CVV2 or PIN data after the transaction authorization.

Specifically for PCI compliance, acquirers will be fined between $5,000 and $25,000 a month for each of its Level 1 and 2 merchants who have not validated by September 30, 2007 and December 31, 2007 respectively. For prohibited data storage, acquirers failing to provide confirmation that their Level 1 and 2 merchants are not storing full track data, CVV2 or PIN data by March 31, 2007 will be eligible for fines up to $10,000 a month per merchant, subject to escalation in the event material progress toward compliance is not made in a timely manner.