Secure Payments, PCI DSS, Regulatory Compliance Blog

Visa sets global PCI DSS deadlines

November 13th, 2008 by admin Posted in Asia-Pacific, Card Brands, Compliance, Europe, Merchant, PCI DSS, Service Provider

Only days after Visa Asia-Pacific announced compliance deadlines within their region, Visa Inc. announced global compliance deadlines for all regions. (Thanks to Danny for pointing this out.)

The deadlines apply to all Visa regions globally and appear to be a natural evolution of the enforcement already in place in several regions including the US.  Visa will require their acquirers verify their Level 1 and 2 merchants meet the following deadlines.

Merchant dates include:

  • September 30, 2009 : Companies cannot store “Prohibited Data”.  This includes: magnetic stripe or track data, card verification value or code data, PIN or PIN block data even if encrypted.
  • September 20, 2010: Level 1 merchants must demonstrate they have validated full compliance.  “After that date, Visa will impose appropriate risk controls, up to and including acquirer fines for failure to provide an attestation form to Visa confirming that each of its Level 1 merchants has validated full PCI DSS compliance. The September 30, 2010 deadline does not supersede any applicable earlier regional deadlines and related enforcement programs previously established.

Service Provider dates include:

  • February 1, 2009: Visa has globally aligned their Service Provider levels and removed reference to the “gateway” definition and consolidated into two levels.

Conclusion

This means merchants need to get working on validating their compliance.  Top of the list should be retail merchants who have large distributed geographic areas.  These merchants take the longest to achieve compliance because of the time required to change out their POS systems.

Update: Thanks to Sebastian for pointing out the following:

The new framework establishes the minimum requirements for Visa Inc. regions. As an independent company and licensee of Visa International for the business operations in European markets, Visa Europe’s PCI DSS framework requires compliance validation and risk mitigation for Level 1 merchants; however the region will be adhering to a different timeline and process for executing compliance validation.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 2 Responses to “Visa sets global PCI DSS deadlines”

  2. By Sebastian Kübeck on Nov 16, 2008

    Your excerpt is a little bit incomplete. The announcement seems not to apply to the European region!

    “The new framework establishes the minimum requirements for Visa Inc. regions. As an independent company and licensee of Visa International for the business operations in European markets, Visa Europe’s PCI DSS framework requires compliance validation and risk mitigation for Level 1 merchants; however the region will be adhering to a different timeline and process for executing compliance validation.”

  1. 1 Trackback(s)

  2. Nov 14, 2008: Interesting Information Security Bits for 11/14/2008 at Infosec Ramblings

Sorry, comments for this entry are closed at this time.