Visa recently announced a nationwide push to move merchants to chip-and-PIN technology, a move that will have dramatic impact on PCI DSS compliance efforts for card-present merchants. This technology, already widely deployed in Europe under the name EMV, uses contactless NFC chips in combination with a PIN to provide two-factor authentication for credit card purchases.

A major part of Visaโ€™s announcement is that, beginning in October 2012, any merchant who has at least 75% of card transactions processed through chip-enabled terminals will not be required to annually validate compliance with PCI DSS. This is tremendous news for those charged with validating that merchants are PCI compliant, but there are several important details to keep in mind:

  • Merchants will not be required to validate PCI compliance, but they are still subject to the requirements of PCI DSS. If you have a breach and are found to be non-compliant, you will still be subject to the normal fines and sanctions.

  • The fine print states that 75% of transactions have to be processed through chip enabled terminals. It does not specify any requirement that transactions actually use the chip-and-PIN technology. This is good news for merchants, as they are not responsible for driving the transactions, only enabling them.

  • To be eligible, terminals must support both contact and contactless transactions, including mobile NFC transactions.

According to Ellen Richey, chief enterprise risk officer at Visa, โ€œThe migration to chip technology will be an important security layer and a critical step in a comprehensive strategy to use dynamic authentication across all markets and all channels.โ€

Overall, this is a great move forward for PCI. While the true benefits will only accrue to merchants who process a large number of card-present transactions and are willing to invest in capital equipment upgrades, the philosophical statement made here is significant. Like the release of SAQs A, B, C and D several years ago, this marks a move toward reducing the compliance burden on merchants who take steps to reduce their risk profile.

What do you think? Share your thoughts in the comments section below!