Visa PCI DSS exemptions send out mixed messages to merchants

Visa last week announced a new programme which means European merchants will no longer need to prove they adhere to PCI DSS regulations on an annual basis, as long as 75 percent or more of their transactions originate from EMV-enabled chip and pin terminals. The programme will be introduced on 31 March, 2011.

Although merchants will no doubt welcome this initiative, which is designed to improve security and lessen the burden of PCI compliance, there will inevitably be some confusion about compliance requirements going forward.

Visa should of course be applauded for trying to reduce the compliance burden for merchants that are using the latest secure technologies, in this instance, contact or dual contact/contactless chip and pin terminals. However, this by no means spells the end of compliance – other card firms, including MasterCard, will still require annual validation that regulations are being met – so appropriate compliance procedures still need to be in place.

Visa’s initiative also only impacts a relatively small proportion of merchants. For example, online retailers – for which chip and pin is not always a viable option – will see no change in their requirements. And even if 75 percent of a merchant’s transactions originate from qualifying chip and pin terminals, the firm will still have to prove compliance prior to being accepted onto Visa’s new programme.

However, perhaps the most interesting thing about Visa’s new initiative is the mixed message it sends out about the need to comply with industry best practices. After all, even if Point of Sale security is completely watertight, who’s to say that the credit card details stored elsewhere in the merchant’s IT infrastructure are just as safe?

PCI compliance – as burdensome as it sometimes seems – still delivers benefits to merchants, as it helps them achieve best practice. For example, PCI 2.0 regulations stipulate the use of centralised log management solutions, which provide merchants with a complete overview of all network activity, proactively spotting any event that could put data at risk.

Centralised processes like this don’t just help with compliance, they are also mission critical to merchants, as log data contains vital clues and information about the ongoing security of credit card data. The fact that these platforms provide a complete overview of all log activity is absolutely critical. Merchants using disparate log management platforms in different parts of their infrastructure are likely to find that information about key security events will fall through the cracks.

Ross Brewer brings to over 22 years of sales and management experience in high tech and information security. Prior to joining LogRhythm, he was a senior executive at LogLogic where he served as vice president and managing director EMEA. Ross has held senior management and sales positions in Europe for systems and security management vendor NetIQ and security vendor PentaSafe (acquired by NetIQ). He was also responsible for launching Symantec’s New Zealand Operations.