Visa Will Use PCI Exemption to Help Push Chip Adoption
Merchants faced with the prospect of changing point-of-sale terminals to be able to accept transactions validated with embedded chips may find the ability to not validate the expensive security standard every year an additional incentive.
Along with its change of policy on embedded chip technology, Visa Inc. announced Tuesday that merchants where at least 75% of card transactions use the new technology will no longer have to validate their compliance with the Payment Card Industry card security standards for card transactions in that year.
Merchants have long complained that remaining PCI compliant is expensive and technically challenging. Merchants who are not PCI compliant are seen as more vulnerable to card fraud and have faced fines from the card brands and additional liability for card fraud damages.
The card brand emphasized as well that the terminals will need to be able to accept both contact and contactless card transactions and that merchants will still need to protect any card data which they store.
The change in policy also carries a possible punishment along with an incentive. Currently, POS counterfeit fraud is largely absorbed by card issuers. With the liability shift, if a contact chip card is presented to a merchant that has not adopted, at minimum, contact chip terminals, liability for counterfeit fraud may shift to the merchant's acquirer.
The liability shift encourages chip adoption since any chip-on-chip transaction (chip card read by a chip terminal) provides the dynamic authentication data that helps to better protect all parties, the brand said.