In response to the complex and global threats faced by the cardholder ecosystem, Visa Increcently announced worldwide deadlines for PCI DSS Compliance. "Compliance with PCI DSS is vital to ensuring the integrity of the global payments system," said Eduardo Perez, head of global data security, Visa Inc. "Aligning compliance programs across the Visa regions is the latest step in our commitment to safeguarding cardholder data."
Important dates include:
- February 1, 2009: Providers processing more than 300,000 annual transactions must demonstrate PCI DSS Compliance
- September 30, 2009: Level 1 and Level 2 Merchants will be prohibited from storing sensitive authentication data (e.g. full magnetic stripe, security codes, PIN)
- September 30, 2010: Acquiring banks must prove that all Level 1 Merchants have demonstrated compliance with the PCI DSS.
Also announced was that Visa Europe’s merchants will follow a different timeline (yet to be announced) for validating compliance.
After these deadlines pass, Visa can fine acquirers if they fail to demonstrate that all of their required entities are compliant. I expect that the acquiring banks will pass these fines onto the non-compliant merchants.
As shown by Visa’s initial deadlines for Level 1 and Level 2 Merchants in the US, the combination of fines and incentives can drive significant progress with respect to PCI compliance. By opting to hold large merchants, banks and service providers accountable around the globe, Visa has likely jump-started another wave of progress with respect to global cardholder data security.
Hopefully, organizations around the world can work with, and learn from, their counterparts in the US and avoid some of the more common mistakes and resulting misfortune.
No comments:
Post a Comment