550 Morninghome Road - Danville, CA 94526
(925) 314 - 9700

New Visa Security Requirements Aim To Reduce Small Merchants’ Data Breaches

Visa Inc. has announced new data-security requirements for small merchants, one of which says that beginning Jan. 31, 2017, merchant acquirers must annually validate compliance by their so-called Level 4 merchants with the Payment Card Industry data security standard.

Other new Visa requirements involve qualified integrators and resellers, or QIRs. These are entities that install business-management software, or integrate such applications, for use with point-of-sale terminals and payment applications. Effective next March 16, newly boarded Level 4 merchants may only use QIRs that are certified by the PCI Security Standards Council, the body that oversees the PCI DSS and its related standards, to install POS terminals and software. Effective Jan. 31, 2017, the QIR requirement will apply to all Level 4 merchants.

The new requirements are listed in an Oct. 29 Visa security bulletin. Visa did not make a spokesperson available to comment on the bulletin, but the company indicated that one of the deadlines might be delayed in early 2016.

“Using QIR companies provides small merchants some protection against a common vulnerability exploited by criminals,” the bulletin says. “However, this alone will not prevent small-merchant compromises. As such, Visa is expanding its PCI DSS validation program to include Level 4 merchants. Effective 31 January 2017, acquirers must ensure their Level 4 merchants validate full PCI DSS compliance annually.”

Visa is trying to fill two well-known security holes in card payments. Level 4 merchants, the smallest among the four tiers by which Visa ranks merchants, are businesses that process up to 1 million Visa transactions annually, or fewer than 20,000 Visa e-commerce transactions. Level 4 merchants represent more than 90% of the 5-million-plus card-accepting merchants in the U.S., and they also account for a lot of data breaches—some 94% of the compromises Visa tracked in 2015, according to an October Visa presentation for small merchants. Unlike breaches involving big, Level 1 merchants such as Target Corp. or The Home Depot Inc., breaches at Level 4 businesses are small in scale and rarely make headlines, but collectively they present a security headache for the card networks, acquirers and issuers.

All card-accepting merchants must comply with the PCI rules, but only big and medium-sized ones currently must validate their PCI compliance through annual tests and probes that can be complicated and expensive. With Level 4 merchants, Visa requires PCI compliance but leaves actual validation up to the acquirer. The network says acquirers must attest to their Level 4 merchants’ PCI compliance and recommends merchants complete a self-assessment questionnaire.

The bulletin notes that acquirers can avoid the new annual validation requirement if they participate in Visa’s incentive program to grow EMV chip card payments. Dubbed the Technology Innovation Program, or TIP, the program says a merchant does not need annual PCI validation if it submits 75% of its Visa transactions through EMV terminals, and does not store sensitive cardholder data after transaction authorizations.

Visa has never publicly stated small merchants’ PCI compliance rates, usually terming them as “moderate,” but the trade group the Merchant Acquirers’ Committee has estimated it at 39%.

At the same time, because of their lack of technical expertise, many small merchants rely on tech providers to protect their POS terminals and and back-office networks. These providers sometimes do slip-shod work, setting up payment systems with easily guessed default passwords and other vulnerabilities. But many such companies, including value-added resellers (VARs) and integrated software vendors (ISVs), are coming into the payments realm because merchants increasingly want POS applications that do much more than simply process card transactions.

Visa and the PCI Council are offering an incentive for VARs and ISVs to become PCI Council-endorsed QIRs. Companies that enroll in a Visa QIR training program by year’s end can receive a discounted price of $197.97 per person, the bulletin says. The standard price wasn’t listed.

While the new PCI validation requirement could affect millions of merchants, Dallas-based payment-security consultant Branden R. Williams doesn’t see Visa’s changes as radical.

“I see this as more of a nudge than a massive policy shift,” Williams tells Digital Transactions News by email. “Visa—and the other payment brands—have always said that Level 4 merchants must be compliant but were only recommended to validate. I see this impacting acquirers who have not built merchant-compliance programs more than those who have. In this case, the nudge from Visa may be to push acquirers and merchants into products and services that qualify for the Technology Innovation Program.”

A partial list of clients served