Search Keywords

• Press Releases
• Media Contacts
• Statistics
• Fact Sheets
• Downloadable Assets
• Press Kit
• Speeches & Presentations

Visa USA Pledges $20 Million in Incentives to Protect Cardholder Data

First Payment Brand to Combine Financial Incentives and Fines to Encourage Adoption of Industry Security Standards

San Francisco, December 12, 2006

Visa USA today announced it will offer $20 million in financial incentives and create new sanctions in an effort to further merchant compliance with the Payment Card Industry Data Security Standard (PCI DSS). The new effort, called the Visa PCI Compliance Acceleration Program (PCI CAP), is the first of its kind to provide positive reinforcement to the industry's traditional, fine-only approach. Visa PCI CAP represents one component of Visa's comprehensive strategy to address payment card fraud.

"Locking down cardholder data is an important security component that will benefit financial institutions and merchants, and is equally important to maintain consumer trust in Visa," said Michael E. Smith, senior vice president of Enterprise Risk and Compliance at Visa USA. "By combining both incentives and fines, we expect acquirers to increase their efforts with merchants to accelerate their progress toward becoming PCI compliant and eliminating the storage of sensitive card data. Nothing is more important to Visa than securing commerce."

The program targets the acquirers responsible for the largest 1,200 merchants - known as Level 1 and 2 merchants - that each process more than one million Visa transactions a year and combined account for approximately two-thirds of Visa's U.S. transaction volume. The initiative's goal is to eradicate the storage of full-track data, CVV2 and PIN data, and grow PCI compliance among this group of merchants. Visa reports current PCI compliance among Level 1 merchants at 36 percent and 15 percent among Level 2 merchants, with the majority in both levels actively working toward compliance.

Incentives for PCI Compliance
Visa is investing up to $20 million in an incentive fund payable to the acquiring financial institutions of the largest U.S. merchants who have already or will validate PCI compliance by August 31, 2007, and have not been involved in a data compromise. In addition, Visa will link the benefits of tiered interchange rates to PCI compliance, creating an additional security incentive for acquirers of large merchants.

To qualify for an incentive payment, acquirers of Level 1 and 2 merchants who have validated full compliance with the PCI DSS by March 31, 2007 will be eligible to receive a one-time payment for each qualifying merchant. Acquirers whose Level 1 and 2 merchants validate compliance after March 31, 2007 and prior to August 31, 2007 will be eligible to receive a reduced one-time payment for each qualifying merchant.

Acquirers will also be required to validate Level 1 and 2 merchant compliance with PIN security standards. Specifically, merchants must not use payment devices, such as PIN pads, that are known to be vulnerable to compromise and that merchants use unique encryption keys for every device. Additionally, acquirers must demonstrate the establishment of a comprehensive compliance program for Level 3 and 4 merchants.

Effective October 1, 2007, acquirers whose transactions qualify for lower interchange rates available in the Visa and Interlink tiers must ensure that the merchants generating the transactions are PCI compliant in order to receive this benefit.

Acquirers are encouraged to use the incentives to fund merchant security compliance programs.

Fines for PCI Compliance and Data Storage
Visa's PCI CAP will build on the company's current enforcement efforts, which include acquirer fines for data compromises involving merchants of any size. Fines are also assessed on acquirers that have failed to confirm that full track data is not retained or that did not provide a PCI compliance plan for their Level 1 merchants by September 30, 2006. In 2006, Visa levied $4.6 million in fines, up from a 2005 total of $3.4 million.

This new program sets an enforcement date for acquirers to validate PCI compliance for Level 1 and Level 2 merchants. Additionally, Visa is adding new fines to acquirers whose Level 2 merchant customers retain full-track data, CVV2 or PIN data after the transaction authorization.

Specifically for PCI compliance, acquirers will be fined between $5,000 and $25,000 a month for each of its Level 1 and 2 merchants who have not validated by September 30, 2007 and December 31, 2007 respectively. For prohibited data storage, acquirers failing to provide confirmation that their Level 1 and 2 merchants are not storing full track data, CVV2 or PIN data by March 31, 2007 will be eligible for fines up to $10,000 a month per merchant, subject to escalation in the event material progress toward compliance is not made in a timely manner.

Progress on Industry Data Security Efforts
Throughout 2006, Visa has helped prevent fraud by sharing critical information with merchants, software providers and law enforcement. Some key activities include:

Technology Industry Outreach

• On December 4-5, 2006, Visa hosted a payment application developer's conference in Foster City, California to problem-solve the challenge of track-data storage. More than 100 software executives attended this event, demonstrating their commitment to supporting PCI compliance. Today, more than 90 point-of-sale products have been validated as PABP compliant, nearly double the figure from April 2006.

Acquirer/Merchant Outreach

• Visa has reached nearly 2,000 merchants, acquirers and processors through webinars and ongoing training sessions, educating them on the PCI DSS and critical security issues. Visa will continue to offer a series of PCI DSS workshops and webinars for acquirers and merchants throughout 2007. For more information, visit www.visa.com/cisp.
• In May 2006, Visa initiated an ongoing series of Security Alerts to notify merchants and other entities of certain security vulnerabilities along with actionable steps to mitigate them.
• Visa joined with the U.S. Chamber of Commerce to conduct their second, 12-city Merchant Data Security Tour in 2006 reaching more than 60,000 small businesses.

Law Enforcement Outreach

• To help prosecute payment card crimes, Visa conducts learning sessions annually at the University of South Carolina National Advocacy Center for federal, state and county district attorneys.

About Visa
Visa USA is the nation's leading payment brand and largest payment system, enabling banks to provide their consumers and business customers with a wide variety of payment alternatives tailored to meet their evolving needs. Visa USA is committed to increasing the choice, convenience, acceptance and security of Visa payments for all stakeholders in the payment system -- members, cardholders and merchants. Through its 13,369 member financial institutions, more than 500 million Visa-branded cards have been issued to cardholders in the United States. Worldwide, cardholders in more than 150 countries carry more than 1 billion Visa-branded cards, accounting for more than $3 trillion in annual transaction volume. VisaNet, Visa's global processing system and the world's largest financial network, processes transactions with unparalleled reliability. Visa offers a trusted, reliable and convenient way to access and mobilize financial resources -- anytime, anywhere, anyway.

 

 

CONTACTS
Jay Hopkins
For Visa
(703) 683-5004 ext. 107
jhopkins@crc4pr.com

 
Rosetta Jones
Visa USA
(704) 444-3815
rjones@visa.com


Portions © Copyright 2001-2007 Visa USA Inc.

Go back to Press Releases

Privacy Policy  |  Terms of Use  |  Contact Us  |  Site Map  |  Global Visa Sites