Retail Technology
| Log in | Subscribe
Subscribe | Log in
Retail Technology
Subscribe

The latest credit card data standard exemptions from Visa send out mixed messages to merchants, warns LogRhythm

The latest credit card data standard exemptions from Visa send out mixed messages to merchants, warns LogRhythm

 

Visa last week announced a new programme that means European merchants will no longer need to prove they adhere to Payment Card Industry (PCI) Data Security Standards (DSS) regulations on an annual basis, as long as 75% or more of their transactions originate from EMV-enabled chip and PIN terminals. The programme will be introduced on 31 March 2011.

 

Although merchants will no doubt welcome this initiative, which is designed to improve security and lessen the burden of PCI compliance, Ross Brewer, president and managing director of Europe Middle East and Africa for LogRhythm, has warned that there will inevitably be some confusion about compliance requirements going forward.

 

Easing the burden of compliance

 

“Visa should of course be applauded for trying to reduce the compliance burden for merchants that are using the latest secure technologies, in this instance, contact or dual contact/contactless chip and pin terminals,’ Brewer stated. “However, this by no means spells the end of compliance – other card firms, including MasterCard, will still require annual validation that regulations are being met – so appropriate compliance procedures still need to be in place.

 

“Visa’s initiative also only impacts a relatively small proportion of merchants. For example, online retailers – for which chip and PIN is not always a viable option – will see no change in their requirements. And even if 75% of a merchant’s transactions originate from qualifying chip and PIN terminals, the firm will still have to prove compliance prior to being accepted onto Visa’s new programme.”

 

He continued: “However, perhaps the most interesting thing about Visa’s new initiative is the mixed message it sends out about the need to comply with industry best practices. After all, even if point-of-sale security is completely watertight, who’s to say that the credit card details stored elsewhere in the merchant’s IT infrastructure are just as safe?

 

Benefits from best practice

 

“PCI compliance – as burdensome as it sometimes seems – still delivers benefits to merchants, as it helps them achieve best practice. For example, PCI 2.0 regulations stipulate the use of centralised log management solutions, which provide merchants with a complete overview of all network activity, proactively spotting any event that could put data at risk.”

 

Brewer said centralised processes like this don’t just help with compliance, but that are also mission-critical to merchants, as log data contains vital clues and information about the ongoing security of credit card data. “The fact that these platforms provide a complete overview of all log activity is absolutely critical. Merchants using disparate log management platforms in different parts of their infrastructure are likely to find that information about key security events will fall through the cracks,” he concluded.