Visa Imposing PCI-DSS Compliance to its e-merchants
- As of 1st January 2013 Carte Bleue will be requiring PCI-DSS compliance from its e-merchants: failing which, the group will no longer be covering their transactions.
- The e-commerce sector is especially exposed to several kinds of drawbacks (heavy fines, hardly quantifiable impact on customers' level of trust, on the companies’ image, etc.); this actually does pressure them into complying with these security requirements.
- Several possibilities are proposed: e-merchants can either decide to resort to PCI-DSS certified hosting platforms, they can take on the necessary procedures themselves to, eventually, be granted their own certification, or, they can partner with already certified service providers. Counting among the Visa approved PCI-DSS certified merchants is an asset likely to be of value to their customers.
- The worldwide JV Visa International Service Association gathers 21,000 financial institutions: in France, it is represented by Carte Bleue group. E-merchants can improve their image through displaying their link with the international network, thus providing reassurance to their Internet users/potential online purchasers. The certification must be renewed every year by Visa.
- As these compulsory procedures are time consuming and expensive, small merchants generally opt for already certified service providers. The increasing number of attacks imposes significant efforts to ensure the security of sensitive data (card and personal information). Setting these critical elements aside, their encryption, the relevance of their processing and storage mode, etc. are as many aspects covered by certification procedures to prevent their retrieval by fraudulent third parties. Banks typically impose PCI-DSS compliance to all e-merchants directly working with card numbers.
- In August 2011, the PCI-SSC released new guidelines regarding the implementation of data tokenisation-related measures: PCI-DSS Tokenization Guidelines. The standard organisation explained that adopting tokens could reduce the scope of PCI-DSS compliance evaluation but would not however invalidate its need (see August 2011 Insight).
- Finally, in the US, as the adoption of EMV is making progress under pressure from the largest card networks as well as an increasing number of banks, the liability of non-EMV compliant merchants is to be questioned starting October 2015 (and starting 2017 for gas stations). Visa and MasterCard also say they will alleviate PCI-DSS requirement processes for merchants having installed EMV compliant POS systems (see February 2012 Insight).