Visa USA says it will offer $20 million in incentives and introduce new financial sanctions in order to increase merchant compliance with the Payment Card Industry Data Security Standard (PCI).
Visa says its new incentive programme targets the acquirers responsible for the largest 1200 merchants – known as Level 1 and 2 merchants. The aim of the programme is to stop merchants storing credit card data - including PINs, and increase PCI compliance. The company says current PCI compliance among Level 1 merchants is 36%, while among Level 2 merchants its just 15%.
The incentives will be paid to the acquiring financial institutions of merchants that validate their PCI compliance by 31 August 2007 and that have not been involved in a data scare.
To qualify, acquirers of Level 1 and 2 merchants who have validated PCI compliance by 31 March 2007 will receive a one-time payment for each qualifying merchant. Acquirers whose merchants validate compliance after March but before 31 August 2007 will receive a reduced payment for each qualifying merchant.
In addition, Visa says it will link the benefits of tiered interchange rates to PCI compliance, creating an additional incentive for acquirers of large merchants.
Concerns about the the security of cardholder data escalated earlier this year after a security breach at an unspecified merchant forced a number of US banks to re-issue debit cards to customers after it transpired that decrypted PIN codes were being used on cloned ATM cards.
Furthermore in March Visa warned that Fujitsu's point-of-sale software may inadvertantly store customer data, including PIN numbers, during debit card transactions. The PCI code expressly forbids retailers from storing PINs.
As well as providing incentive Visa says it will continue to fine firms that don't comply with the regulations and which experience security breaches. In 2006, Visa levied $4.6 million in fines, up from a 2005 total of $3.4 million.
Specifically for PCI compliance, acquirers will be fined between $5,000 and $25,000 a month for merchants that have not validated by 30 September 2007 and 31 December 2007 respectively.
For prohibited data storage, acquirers that fail to confirm that their merchants are not storing full track data, CVV2 or PIN data by 31 March 2007 will be eligible for fines of up to $10,000 a month per merchant.
Commenting on the programme Michael Smith, SVP, enterprise risk and compliance, Visa USA, says locking down cardholder data is an important security component that will benefit financial institutions and merchants and is equally important to maintain consumer trust in Visa.
"By combining both incentives and fines, we expect acquirers to increase their efforts with merchants to accelerate their progress toward becoming PCI compliant and eliminating the storage of sensitive card data," says Smith.