Media Kit
  • What Visa's EMC annoucement means

    -

Fb Share

Visa has shaken many U.S. businesses with its latest announcement declaring that it’s moving to EMV chip-based technology, which will replace the magnetic strips used on most U.S. cards. The company will also provide incentives to merchants adopting the technology. 

Visa has stated that any merchant whose transactions are at least 75 percent EMV will not need to VALIDATE its PCI compliance.  In other words, if a Level 1 merchant who previously had to submit a ROC to VISA proving that he was PCI compliant starts taking EMV payments, he can avoid paying a QSA for a ROC.

Merchants are not off the hook for PCI; quite the contrary.  They must still be completely PCI compliant.  The only difference is that they do not need to prove it.  The concern many security experts have with this plan from Visa is that if merchants do not need to prove their compliance, then what is the chance that they will maintain secure systems? PCI came out in 2004, and sensitive card data is still being stolen at an alarming rate.  Many of the recent breaches, such as Sony and Citi, would not have been prevented with EMV technology.  They still had vulnerable systems, and that was before the reduction in reporting requirements contemplated by Visa.

 The other card brands have not made a statement confirming or denying that they will follow the same path as Visa, so it’s unclear if ROCs will shortly be a thing of the past for merchants.  It is possible that all merchants will eventually be facing the same dilemma as small merchants do today.  No one will ask about your PCI compliance until you have a breach.  At that point, you will need to produce everything that PCI demands.  If you cannot, your guilt in the matter is concluded automatically.  (The card brands will still try to determine a root cause, but quite often we have seen that the lack of PCI compliance is usually the “catch all” used for blame.)

 We applaud Visa for implementing stronger security and trying to find a way to give merchants an incentive to follow suit.  However, eliminating the ROC seems to be a rash decision.  It would simply make more sense to eliminate the parts of the ROC that are no longer applicable for those merchants.  Much of the ROC would still remain, such as the physical security, implemented procedures , business processes or even electronic storage components that are not protected by an EMV implementation.  PCI validation is much more than electronic storage, and to eliminate the need to validate proper security seems like going a step too far.

 

Related Content

User Comments – Give us your opinion!
Products & Services

Remote Service | Content Management Service

http://global.networldalliance.com/new/images/products/6685.png

6685/Remote-Service-Content-Management-Service

Quote decoder: how to compare restaurant POS systems

http://global.networldalliance.com/new/images/products/1290.png

1290/Quote-decoder-how-to-compare-restaurant-POS-systems

DriverSafe

http://global.networldalliance.com/new/images/products/keyboard_iix.gif

1424/DriverSafe

MVR Reports

http://global.networldalliance.com/new/images/products/MVR_Report_iix.gif

1252/MVR-Reports

Restaurant Digital Signage Advertising Network

http://global.networldalliance.com/new/images/products/6691.png

6691/Restaurant-Digital-Signage-Advertising-Network

Solutions

http://global.networldalliance.com/new/images/products/4551.png

4551/Solutions

PCI Compliance Managed Network Services

http://global.networldalliance.com/new/images/products/4123.png

4123/PCI-Compliance-Managed-Network-Services

ExpressNet

http://global.networldalliance.com/new/images/products/ExpressNet_iix.gif

1428/ExpressNet

Social Security Number (SSN) Verification

http://global.networldalliance.com/new/images/products/SSN_employmentsearch.gif

1426/Social-Security-Number-SSN-Verification

Mexican-Style Meats

http://global.networldalliance.com/new/images/products/6795.png

6795/Mexican-Style-Meats

PCI Compliance & Network Security

Latest posts by Brad Cyprus
Brad Cyprus
Bradley K. Cyprus has more than 20 years experience in the security industry. He manages the development of in-house solutions to validate compliance, and he is a resource that Vendor Safe customers can rely upon to help interpret the PCI standard.
Digital Menu Boards and ROI
Fast Casual Executive Summit
Request Information From Suppliers
Save time looking for suppliers. Complete this form to submit a Request for Information to our entire network of partners.