Compliance Management, Incident Response, TDR

Visa sets PCI compliance deadlines for rest of world

The largest merchants operating overseas will have less than two years to secure credit card transactions, Visa announced on Monday.

Level-one retailers -- those processing more than six million Visa transactions per year -- must prove adherence to the Payment Card Industry Data Security Standard (PCI DSS) by Sept. 30, 2010, Visa said in a news release. After that date, Visa may begin issuing fines to acquiring banks, which typically pass the penalties down to the merchants.

Visa also announced that as of Sept. 30, 2009, level-one and level-two merchants -- which process between one and six million Visa transactions -- cannot retain any data encoded on the magnetic stripe on the back of the card, such as PINs or security codes.

"Hackers are looking for this type of data because of its use in counterfeiting payment cards, and that is why Visa prohibits its storage," said Eduardo Perez, head of global data security at Visa.

Deadlines for U.S.-based level-one and level-two merchants to comply with PCI DSS already have passed.

Jon Oltsik, senior analyst at Enterprise Strategy Group, said the extension of Visa deadlines to the rest of the world shows the PCI standard has evolved into "a model of best practices."

"The threat isn't a North American threat," Oltsik told "The threat is a global threat. The bad guys are going to go where they think it's easiest to break into. Visa wants to make sure (the standard) gets spread around the world as quickly as possible."

He said most U.S.-based firms with outlets overseas likely have already implemented PCI specifications across their companies.

"If you're a large multinational, typically you don't do these things on a geographic basis," Oltsik said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.