Visa has shaken many U.S. businesses with its latest announcement declaring that it’s moving to EMV chip-based technology, which will replace the magnetic strips used on most U.S. cards. The company will also provide incentives to merchants adopting the technology.
Visa has stated that any merchant whose transactions are at least 75 percent EMV will not need to VALIDATE its PCI compliance. In other words, if a Level 1 merchant who previously had to submit a ROC to VISA proving that he was PCI compliant starts taking EMV payments, he can avoid paying a QSA for a ROC.
Merchants are not off the hook for PCI; quite the contrary. They must still be completely PCI compliant. The only difference is that they do not need to prove it. The concern many security experts have with this plan from Visa is that if merchants do not need to prove their compliance, then what is the chance that they will maintain secure systems? PCI came out in 2004, and sensitive card data is still being stolen at an alarming rate. Many of the recent breaches, such as Sony and Citi, would not have been prevented with EMV technology. They still had vulnerable systems, and that was before the reduction in reporting requirements contemplated by Visa.
The other card brands have not made a statement confirming or denying that they will follow the same path as Visa, so it’s unclear if ROCs will shortly be a thing of the past for merchants. It is possible that all merchants will eventually be facing the same dilemma as small merchants do today. No one will ask about your PCI compliance until you have a breach. At that point, you will need to produce everything that PCI demands. If you cannot, your guilt in the matter is concluded automatically. (The card brands will still try to determine a root cause, but quite often we have seen that the lack of PCI compliance is usually the “catch all” used for blame.)
We applaud Visa for implementing stronger security and trying to find a way to give merchants an incentive to follow suit. However, eliminating the ROC seems to be a rash decision. It would simply make more sense to eliminate the parts of the ROC that are no longer applicable for those merchants. Much of the ROC would still remain, such as the physical security, implemented procedures , business processes or even electronic storage components that are not protected by an EMV implementation. PCI validation is much more than electronic storage, and to eliminate the need to validate proper security seems like going a step too far.
/ Bradley K. Cyprus has more than 20 years experience in the security industry. He manages the development of in-house solutions to validate compliance, and he is a resource that Vendor Safe customers can rely upon to help interpret the PCI standard.