Network News

X My Profile
View More Activity

VISA to Enforce Payment Card Security in Europe

Update, 1:20 p.m.: A major correction is in order for this story: A spokesman for Visa just contacted me to say that the new deadlines actually apply to all non-U.S. retailers except those in Europe. The spokesman said Visa Europe is its own association and is subject to a different set of timetables. I will update this story with exactly what the European timetables are when I hear back from Visa Europe.

Update, Nov. 15, 1:15 p.m. ET: Visa Europe sent me a lengthy response about their PCI requirement timelines. Stanley Skoglund, Senior Vice President Policy Compliance, said: "Visa Europe has the same philosophy as Visa Inc as regards PCI DSS; everybody in the payment chain must adopt PCI DSS.

"However there are regional differences in the compliance validation regimes and these differences reflect the individual nature of the markets and merchant segments involved".

I have included their entire statement -- which includes specific timetables for Visa Europe merchants -- after the jump.

Original post:

Visa Inc. on Monday dramatically expanded its credit and debit card security requirements to retailers in Europe, an unexpected move that could be a financial boon to security auditing companies, but a huge cost for European merchants already feeling the pinch from the global financial crisis.

The new payment card industry (PCI) mandates (PDF) that certain on- and offline European retailers stop storing the data read when the customer's credit or debit card is swiped through the cash register reader. This requirement has applied to U.S. based retailers for years now.

"Hackers are looking for this type of data because of its use in counterfeiting payment cards, and that is why Visa prohibits its storage," Eduardo Perez, head of global data security for Visa Inc., said in a statement.

Retailers included in the new mandate are those that Visa classifies as Tier 1 -- merchants that process more than six million Visa transactions annually -- and Tier 2, which include sellers that process between one and six million Visa transactions a year.

Taken together, these two tiers make up about 80 percent of about 20 million businesses that accept credit cards worldwide.

Avivah Litan, a fraud analyst with Gartner Inc., called the change "a huge announcement," noting that Visa has until now only placed these requirements on U.S.-based merchants. She estimates that European retailers will need to spend between $2 billion and $4 billion to implement the requirements, which take effect in September 2009.

In some cases, merchants may need to upgrade payment card software and hardware. More importantly, they will need to pay outside experts to certify that their systems meet the new standards.

The new requirements are aimed at preventing cyber crooks and hackers from gaining access to more than just the credit card number. Stores will often also keep on file the customer's name, the card's expiration date and digital copies of the very ones and zeros that make up the data stored on the magnetic stripe located on the back of the credit card itself.

This data, if intercepted or stolen (along with PIN codes in the case of debit cards) can be written to the magnetic stripe of fabricated cards, making it easy for criminals to create counterfeit cards that they can then use at Main Street stores to make purchases in the victim's name.

Banks have been among the strongest advociates of these payment card standards, said Litan. When these fradulent cards are used in stores, it generally becomes the responsibility of the bank who issued the credit card to pay a retailer back for the loss, including both the value of the merchandise and for the transaction fee retailers are required to pay Visa to accept their cards.

"VISA has been responding to squeakiest wheel here, which in this case is U.S. card issuers who have been all over VISA because of high rates of counterfeit card fraud," Litan said.

While VISA says some 80 percent of Tier 1 and Tier 2 U.S. merchants that accept credit cards no longer store payment card information, that number is considerably lower among European merchants. Visa declined to share exact numbers, but Litan said only about 5 percent of European retailers are compliant with Visa's new guidelines.


Perhaps the toughest part of VISA's new requirements for European retailers is that they offer no compensation for retailers who have adopted a so-called "chip and pin," approach, a technology widely implemented in Europe that encodes the data from the magnetic stripe in a computer chip embedded on the card, which is cryptographically signed and cannot be forged. Under such a system, even if the data stored on the card's magnetic stripe is forged, that data will not match the same information stored on the card's computer chip, thereby potentially triggering a warning for retailers.

Unfortunately for many European banks, these cards must also be readable by U.S. retailers that are not equipped to verify the cryptographic data on the chips. As a result, fraudsters who have stolen magnetic stripe data from European retailers merely need to fabricate the cards and ship them to accomplices in the United States, who use them to run up charges at U.S. retailers or to pull money out of local ATMs.

Litan said while European retailers have recently suffered major breaches in which fraudsters have made off with mag stripe data and used it to counterfeit cards that were used in other countries, most European countries do not have the same laws in place as most U.S. states, which require merchants that experience a data breach or loss to report the incident to consumers and in some cases state regulators.

"While European retailers recently have seen a tremendous surge in ATM fraud -- especially cross-border fraud -- the retailers in those countries aren't required to disclose the incidents," Litan said.

Litan said the VISA requirements are likely to be a huge thorn in the side for European merchants who have spent the past few years and billions of dollars implementing the chip-and-PIN approach, as VISA's requirements offer those retailers no leeway or remuneration for adopting that technology. Meanwhile, the United States is among a dwindling number of major nations that have NOT adopted or moved to adopt more physical security on credit and debit cards, she said.

What follows is the remainder of the statement from Visa Europe:

"In Europe our approach is to negotiate implementation dates for full PCI DSS compliance with individual acquirers for the level 1 merchants they acquire based on their specific circumstances. However, it is an absolute requirement that any individual implementation plans must ensure that the merchant in question has undertaken effective risk mitigation by certifying that no sensitive authentication data is stored after authorisation and that they have adequate network security. The removal of sensitive authentication data will ensure that account data, if exposed, cannot be used by fraudsters to commit counterfeit fraud. Acquirers who cannot ensure that these critical risk mitigation steps have been taken are liable to penalties. The vast majority of European Level 1 merchants have either validated their PCI compliance, or have ceased to store this sensitive data and are working towards validating compliance. This protects issuers and cardholders from counterfeit cards created from stolen data - the key objective of PCI DSS.

"Level 2 merchants in Europe have a deadline of December 31 to validate compliance with PCI DSS, a mandate that has been in place for two years.

"Level 3 merchants, any e-commerce merchant, must by September 31, 2009 use a PCI certified service provider or produce a certificate themselves to their acquirer to validate their compliance. This mandate is aimed at ensuring that merchant service providers serving high numbers of e-commerce merchants do not pose a risk to these merchants or the constituents of the payment system.

"Level 4 merchants are currently not required to validate compliance however Visa Europe's policies any entities storing, processing or transmitting account data must adopt PCI DSS."

"Other risk mitigating initiatives taken by Visa Europe and its members include the requirement to issue EMV chip cards with iCVV, which will ensure detection of counterfeit fraud and compulsory authentication of card-not-present transactions."

By Brian Krebs  |  November 11, 2008; 11:50 AM ET
Categories:  Economy Watch , Fraud , From the Bunker , Latest Warnings , Piracy , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Extortionists Target Major Pharmacy Processor
Next: Microsoft Patches Four Windows Security Holes


Although it is true that European legislation usually does not require notice to consumers when data are compromised, European merchants are often required by contract to notify their banks when card data are breached. It is the notices to banks that really count. Notices to consumers are often of dubious value. -Ben

Posted by: benjaminwright | November 11, 2008 2:01 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company