Based on discussions recently with a variety of large merchants at the PCI Community Meeting in Phoenix, there is a lot of confusion as to what Visa is trying to accomplish with their new Technology Innovation Program (TIP) to promote adoption of EMV and contactless cards.
I wrote about this program earlier and after the Community Meeting, it seems that my opinion of this program is shared by most merchants and QSAs.
The big clarification from discussions with Visa was related to the first criteria which is:
“At least 75% of the merchant’s transactions must originate from dual interface EMV chip-enabled terminals“
The big question merchants had was if it was strictly just terminals, or did it also require EMV or contactless cards? Visa clarified this on Thursday morning stating that it was just to install and use EMV or contactless terminals. However, in clarifying these criteria, they created a new question. Visa claims that they will know through analysis of transactions if a merchant truly meets the 75% rule.
While Visa could now what types of cards are used and how they are used through transaction logs, we were all stumped as to how Visa would know the type of terminal used to conduct the transaction since EMV cards are not yet available in the United States and contactless cards do not always appear as contactless if they are swiped.
The next big clarification came from the PCI SSC regarding the implication of this program and PCI compliance. The PCI SSC stated that while Visa is not requiring merchants to file a ROC or AOC, the merchant still has to ensure that it is PCI DSS compliant. This means that the merchant still must go through the PCI compliance assessment process of a ROC or respective SAQ to ensure that their controls are functioning properly.
Visa representatives were pushing this aspect of the program very heavily at the Community Meeting and their wording regarding this aspect of the program was very carefully crafted. On first blush, what they seemed to say was that a merchant meeting the program criteria did not have to meet the requirements of the PCI DSS.
However, when you went back and reviewed their statements and comments, Visa really was not contradicting the PCI SSC’s comment. My concern is that some merchants will not do that re-review and will think that they are off the hook for complying with the PCI DSS.
In talking to the other card brands at the meeting, they are not buying this aspect of the program. Since around 99% of merchants that accept Visa also accept MasterCard, going through an assessment and filing an AOC is still going to be required by them. So, unless Visa can get the other card brands on board, this benefit will not create an advantage for any large merchants.
It is not that the other card brands do not want EMV. It is that they are not agreeing with how Visa is trying to approach the problem of getting EMV adoption started in the United States. The fear expressed by one of the other card brand representatives was that such a program opened the door to going back to pre-ROC times and not knowing if merchants really were securing cardholder data or not.
All of the other card brands stated that they were assessing the Visa initiative, but for the time being, were sticking with their existing compliance requirements. I have to admit, after having the interaction with Visa on Thursday morning, I too am concerned that this is what Visa is inadvertently promoting by their new TIP program.
The point that really got the table roaring was when one of the merchants used the term “Chip and PIN” when the Visa representative used the term EMV.
In response to the use of “Chip and PIN,” the Visa person said very loudly and matter of fact, “There is no PIN involved, only the chip.”
At which point, one of the QSAs at the table said to the Visa representative, “So, what’s the point of having EMV without the PIN?”
There was no Visa response which drew laughter all around the table.
And that is the point. There is no driver for any large merchant to adopt new terminals just because Visa will allow them to not have to file an AOC and ROC. And the way the Visa announcement was worded gave most merchants the impression that the program would get merchants out of the PCI compliance process, which was patently not true. And when the PCI SSC made that clear, most merchants I spoke with did not understand the point of Visa’s program.
One of the processors I ran into at the Community Meeting brought up a very interesting perspective on this whole topic. He stated, “With eWallets just around the corner, what is the point of trying to drive EMV?”
He went on to explain, that with eWallets, bar codes can be generated that can be scanned thus avoiding the need for new terminals. As a result, he said a lot of merchants are just biding their time, waiting until the whole mobile payment, eWallet technology is fleshed out.
The bottom line is Visa is attempting to use its 800 pound gorilla status to drive EMV and contactless into the United States. The problem is that large merchants are not buying it and that appears to be frustrating to Visa since they have a vested interest in EMV and contactless technologies.
As I stated in my earlier post, if Visa were to work with a consortium of e-Commerce merchants, payment processors and other relevant entities to produce a common API for using EMV and contactless cards with PIN online, that would likely drive the adoption of more secure cards in the United States because there would be a business reason for adoption. Without such a driver, EMV and contactless are still a solution looking for a problem.
Cross-posted from PCI Guru