September 21, 2011

Visa Expands Technology Innovation Program for U.S. Merchants to Adopt Dual Interface Terminals

Visa is announcing plans to accelerate the migration to contact chip and contactless EMV chip technology in the U.S. The adoption of dual-interface chip technology will help prepare the U.S. payment infrastructure for the arrival of Near Field Communication (NFC)-based mobile payments by building the necessary infrastructure to accept and process chip transactions

Not only will chip technology accelerate mobile innovations, it is also expected to enhance payment security through the use of dynamic authentication. Chip technology greatly reduces a criminal’s ability to use stolen payment card data by introducing dynamic values for each transaction. Even if payment card data is compromised, a counterfeit card would be unusable at the point of sale (POS) without the presence of the card’s unique elements. By eliminating static authentication, we reduce the value of stolen cardholder data, benefiting all stakeholders.

Visa’s plan includes merchant incentives to upgrade to EMV chip-enabled terminals, requirements for acquirer processors to support chip acceptance and the introduction of U.S. liability shift policies.

Specifically, Visa will waive Payment Card Industry Data Security Standard (PCI DSS) compliance validation requirements to encourage merchant investment in contact and contactless chip payment terminals. Visa will also require acquirer processors to ensure that their systems support dynamic data acceptance (i.e., chip) and will institute a domestic and cross-border counterfeit liability shift.

About the Visa Technology Innovation Program
Effective 1 October 2012, Visa will expand the Technology Innovation Program (TIP)1 to the U.S. TIP will
eliminate the requirement that eligible merchants annually validate their compliance with the PCI DSS for any year in which at least 75 percent of the merchant’s Visa transactions originate from dual-interface EMV chipenabled terminals, in addition to meeting other qualification criteria.

To qualify, terminals must be enabled to support both EMV contact and contactless chip acceptance, including mobile contactless payments based on NFC technology. Contact chip-only or contactless-only terminals will not qualify for the U.S. program.

Visa developed TIP to recognize and acknowledge merchants that have taken action to prevent counterfeit fraud by investing in EMV technology. The program is part of Visa’s overall effort to introduce more dynamic authentication data into the payment system and prepare for the use of emerging technologies that aid in the protection of the payment system by encouraging merchant investment in contact and contactless chip payment terminals.

Visa data security compliance programs help reduce the compromise of sensitive cardholder data. In the U.S., Visa required all Level 1 and Level 2 merchants to validate PCI DSS compliance by 30 September 2007. As of 31 March 2011, more than 96 percent of Level 1 and Level 2 merchants in the U.S. have validated their compliance with the PCI DSS.

These merchants have invested in ongoing annual PCI DSS compliance assessments, with many engaging a Qualified Security Assessor (QSA) year-over-year at significant expense. As interest in emerging technologies increases, many U.S. merchants are also considering investing in the future of payments by deploying dual-interface POS terminals. Dual-interface terminals have the ability to process transactions from various payment card products, including EMV chip contact cards, contactless cards, mobile devices and magnetic stripe cards.

Merchants qualifying for TIP can reap meaningful savings through the reduction of costs associated with annual PCI DSS validation, and will have the opportunity to re-invest those savings into additional payment technology infrastructure to support dynamic data processing.

1
Visa Inc. and Visa Europe introduced the TIP program for acquirers and merchants in non-U.S. geographies in February 2011. For more information on the previously announced TIP programs, see the 9 February 2011 Visa Bulletin “Visa Introduces Technology Innovation Program for Merchants” or contact Visa Inc. at [email protected] or Visa Europe at [email protected]

Minimum Merchant Qualification Standards
To qualify for the program and receive its benefits, U.S. merchants must meet all of the following criteria:

1. The merchant must have validated PCI DSS compliance within the previous 12 months or have submitted to Visa (via their acquirer) a defined remediation plan for achieving compliance, based on a gap analysis.

2. The merchant must have confirmed that sensitive authentication data (i.e., full contents of magnetic stripe, CVV2 and/or PIN data) is not stored, as defined in the PCI DSS.

3. At least 75 percent of the merchant’s total transaction count must originate from dual-interface (contact / contactless) enabled chip-reading device

2terminals.

4. The merchant must not be involved in a breach of cardholder data. A breached merchant may qualify for TIP if they have subsequently validated PCI DSS compliance. Merchants that do not meet the program’s terminalization requirements, including merchants whose transaction volume is primarily from e-commerce and Mail Order / Telephone Order (MO/TO) acceptance channels, are still required to validate PCI DSS compliance annually in accordance with Visa compliance programs.

Visa will work directly with acquirers to confirm eligible merchants and verify acquirer reporting responsibilities.

Note: Participation in the program is contingent upon the acquirer’s submission of—and Visa’s approval of—a
program application for each qualifying merchant. Visa will work closely with acquirers on the continued monitoring of merchants’ PCI DSS compliance and dual-interface terminalization efforts.Visa reminds acquirers that a merchant must not request or use a Visa account number for any purpose other than as payment for goods and services, per the Visa International Operating Regulations.
2


Enabled chip-reading devices must have current, valid EMV approval and pass Visa Acquirer Device Validation Toolkit (ADVT) / Visa payWave Test Tool (VpTT) implementation requirements as applicable, must comply with the Visa Transaction Acceptance Device Requirements (TADR), and must be able to perform endto-end chip transactions.

Merchants Must Maintain PCI DSS Compliance
Although Visa may waive the annual validation requirement for qualifying merchants, all merchants are required
to maintain ongoing PCI DSS compliance. Acquirers retain full responsibility for merchants’ PCI DSS compliance, as well as responsibility for any fees, fines or penalties that may be applicable in the event of a data breach. All participants in the payment system must continue to protect sensitive static card account information (including PINs) vigilantly and adhere to industry data security standards such as the PCI DSS, PCI PIN Security Requirements, and the Payment Application Data Security Standard (PA-DSS). Visa supports and encourages the use of payment technologies that eliminate card data, secure data in storage and transit, and devalue remaining information via dynamic authentication.

Visa reserves the right to require full PCI DSS validation of compromised entities. If risk conditions change dramatically in any market, Visa may re-evaluate the need for qualifying merchants to validate PCI DSS compliance.
Finally, and in accordance with PCI DSS, all merchants must establish and annually test an incident response plan that outlines the steps to take in the event of a suspected account data compromise. This plan must be consistent with the Visa What to Do If Compromised document.

Preparing for Payment Technology Evolution

Incenting U.S. migration to a POS infrastructure that will facilitate the acceptance of EMV chip contact, contactless and mobile transactions supports an increasing interest in these technologies by U.S. acquirers, merchants and issuers alike. As the U.S. payment infrastructure evolves from the static magnetic stripe to intelligent devices like EMV chip cards and NFC mobile phones, it is critical to ensure that cardholders continue to conduct secure and frictionless transactions across all channels.

Posted by staff at September 21, 2011 03:16 PM