On February 11, 2011 Visa announced an interesting program that promotes and demonstrates the fraud deterrence strength of the Europay, MasterCard and Visa (EMV) smartcard standard and are also equipped to accept both contact-based and contactless transactions. Those organizations that have at least 75% of their transactions originating from smartcard-enabled terminals will not have to demonstrate compliance. This is perhaps a reflection of Visa weighing the risks and benefits of technology from a risk management point of view. A win for merchants certainly, as this technology is widely adopted in many parts of the world.
As a reminder, all organizations within the Payment Card Industry must be compliant with the data security standard, but the nuance of demonstration / attestation is based on the channel and volume of each individual card. This program of Visa does not impact the other Card brands, so international Merchants will still need to consider these within their global compliance and security programs.
The deployment in the U.S. requires both adoption at the Merchant level, and the consumers too. It would be interesting to compare the costs of the EMV architecture vs. the compliance costs of organizations. I also wonder if the net benefit of requiring security controls to be meaningfully applied to sensitive data (in this case PCI) does not raise all the “boats” (read: other sensitive data types), as it is more likely that security safeguards are applied broadly. Is this demonstrated by 28% reduction in identity thefts in 2010?
See you in San Francisco at RSA 2011,