Visa sets PCI compliance deadlines for rest of world

Share this article:
The largest merchants operating overseas will have less than two years to secure credit card transactions, Visa announced on Monday.

Level-one retailers -- those processing more than six million Visa transactions per year -- must prove adherence to the Payment Card Industry Data Security Standard (PCI DSS) by Sept. 30, 2010, Visa said in a news release. After that date, Visa may begin issuing fines to acquiring banks, which typically pass the penalties down to the merchants.

Visa also announced that as of Sept. 30, 2009, level-one and level-two merchants -- which process between one and six million Visa transactions -- cannot retain any data encoded on the magnetic stripe on the back of the card, such as PINs or security codes.

"Hackers are looking for this type of data because of its use in counterfeiting payment cards, and that is why Visa prohibits its storage," said Eduardo Perez, head of global data security at Visa.

Deadlines for U.S.-based level-one and level-two merchants to comply with PCI DSS already have passed.

Jon Oltsik, senior analyst at Enterprise Strategy Group, said the extension of Visa deadlines to the rest of the world shows the PCI standard has evolved into "a model of best practices."

"The threat isn't a North American threat," Oltsik told "The threat is a global threat. The bad guys are going to go where they think it's easiest to break into. Visa wants to make sure (the standard) gets spread around the world as quickly as possible."

He said most U.S.-based firms with outlets overseas likely have already implemented PCI specifications across their companies.

"If you're a large multinational, typically you don't do these things on a geographic basis," Oltsik said.
Share this article:

Sign up to our newsletters

More in News

Pentagon to triple its security workforce by 2016

Pentagon to triple its security workforce by 2016

Defense Secretary Chuck Hagel recently announced the recruitment efforts during a speech in Fort Meade, Md.

Tech manufacturer's online payment system breached

LaCie confirmed an unauthorized party used malware to access its online payment system for almost a year and could have stolen customer information.

The Heartbleed bug works, and could be a scapegoat for older breaches

The Heartbleed bug works, and could be a ...

Researchers proved the Heartbleed bug was real in a challenge issued by CloudFlare to prove private keys can be stolen, right around the time companies are claiming they were breached ...