Visa today announced plans that will let qualifying merchants in the U.S. eliminate the need to annually validate their compliance with the Payment Card Industry (PCI) data security standard.
But in order to do that, merchants will have to start using point-of-sale (POS) terminals that support the chip-based EMV payment-processing technology (today, the U.S. is still dominated by magnetic-stripe cards) as well as support the wireless standard called Near Field Communication (NFC) for mobile payments.
BACKGROUND: Average annual cost of a PCI audit? $225k
EMV, which requires the payment-card holder to have a chip-based payment card, is used far more in other parts of the world, especially Europe. While many argue that EMV is more secure than magnetic-stripe-based cards more commonly in use in the U.S., some security researchers have voiced criticism of EMV payment cards as well.
But Visa says it's important EMV gain ground in the U.S. and also that next-generation POS terminals support NFC for mobile payments through smartphones. And to spur that to happen, Visa says it's waiving the requirement for the annual PCI validation audit. All organizations processing payment cards have to support the PCI data security standard (PCI DSS), and annual audits for larger merchants can be expensive. A Ponemon Institute study last year found the annual PCI audit process ran on average $225,000 per year with 10% of businesses paying $500,000 or more.
Visa has said its incentive program will help prepare the U.S. payment infrastructure for the arrival of NFC-based mobile payments by building the necessary infrastructure to accept and process chip transactions that support either a signature or PIN at the point of sale.
"I've often been asked if the United States will ever adopt EMV chip technology as many other countries have," Ellen Richey, Visa's chief enterprise risk officer at Visa, stated in a blog today. "My response has been, it's not a question of 'whether' the United States will begin to use chip technology but 'when' and 'how.'" She added that "recent developments have convinced us that the time is right to put real incentives in the marketplace for contact and contactless technology to take hold."
The Visa program won applause from the Smart Card Alliance, the not-for-profit multi-industry association focused on facilitating adoption of contactless and mobile payments in the U.S.
"This is the ignition the U.S. market needed," says Executive Director Randy Vanderhoof, adding that it gives merchants a clear roadmap to the evolution of U.S. payment systems. "Merchants have been sitting on the sidelines because they didn't want to take multiple steps along the path to EMV migration."
The incentive program, for which Visa-supporting merchants can choose to apply through their bank, is scheduled to start Oct. 1, 2012. Mark Nelson, senior business leader at Visa, says the program is open to all merchants regardless of size. The merchant must commit to achieving 75% of the total number of Visa transactions through dual-interface terminals that support both EMV and traditional magnetic-stripe payment cards. He says the goal is to get merchants to in the U.S. to buy dual-interface terminals supporting NFC. Visa will be issuing some technical guidelines, such as for software, in its incentive program. Today, McDonald's and Nordstrom voiced support for Visa's incentive program.
One of the main reasons Visa is initiating the incentive program is to make sure POS terminals will be able to support mobile payments through smartphones, says Nelson. "The NFC capability of your smartphone will have the same chip technology your card will have," he says. NFC is the near-field communication standard now widely regarded as the future for mobile payments, especially using smartphones equipped with NFC.
By offering Visa merchants the chance of avoid annual PCI validation costs -- Visa says at present it doesn't envision setting a timeline in which PCI validation costs would be re-imposed in the coming years to merchants achieving its EMV and NFC goals -- the question is raised of how committed Visa is to PCI DSS.
Visa, among with other payment card brands such as MasterCard, is a founding member of the PCI Security Standards Council, which over the years has issued strict information-technology security standards that any organization processing payment cards must follow.
Nelson says, "We do think data security is still important. We still believe in PCI DSS." But getting merchants to move to EMV and NFC is seen by Visa as critical to establishing the next generation of payment technologies in the U.S.
Since the PCI standard and the annual validation is supported by MasterCard and other brands as well, it remains to be seen if they will embrace any similar incentive program for EMV. Nelson says he can't comment on their behalf but that the payment card brands tend to try to keep pace with each other's incentive programs.
Read more about wide area network in Network World's Wide Area Network section.