Visa Inc. says it intends to work with merchants that fail to meet two July 1 payment-security deadlines.
Specifically, acquirers are supposed to ensure their merchants use point-of-sale software that complies with Payment Application Data Security Standard and that any PIN pads connected to Visa Inc.’s network use triple data encryption standard technology, also known as triple DES.
The so-called PA-DSS measure is the last of a five-stage compliance effort that Visa began in 2007, Jennifer Fischer, Visa senior business leader, tells PaymentsSource. PA-DSS applies to certain software, such as what a restaurant may use to accept payments and handle patron orders and similar operational tasks.
“This is the final phase of the program for the United States,” Fischer says. “Now it’s a matter of making sure merchants continue to use compliant programs.”
MasterCard Worldwide has set a July 1, 2012, global deadline for PA-DSS compliance for its merchants, a spokesperson says.
Visa will work with merchants not using software compliant with PA-DSS after the deadline, Fischer says. “We will work with their acquirers or merchant banks, or in some cases their processors, to identify a roadmap for them to use a compliant application,” she says. “We don’t intend to take a punitive approach to the deadline.”
Merchants purposely flouting the requirement, however, could face penalties.
Visa merchants outside of the United States have until July 1, 2012, to adopt PA-DSS-compliant software. The use of POS-payment software elsewhere is not as widespread as it is in the United States, Fischer says.
Visa’s approach for merchants not using triple DES-equipped PIN pads after July 1 is similar to its approach for merchants not using PA-DSS-compliant software, Fischer says. “If there are instances of merchants not using triple DES, we want to work with the merchants and their acquirers,” she says.
Acquirers could face unspecified penalties if merchants continue to use noncompliant devices.
Because of the uniqueness of unattended PIN pads, Visa singled out these devices and gave them another two years, until 2012, before it will assess when to set an enforcement deadline, Fischer says.
The technology for triple DES in the unattended environment, such as with self-serve fuel pumps, had not advanced as far as for PIN pads that rest on a countertop inside a store, she says.
Given the long lead times for these deadlines–Visa announced its PIN-encryption plans in 2005–POS-terminal makers and software developers should not expect a rush of orders, Gil Luria, vice president of equity research at Wedbush Securities Inc., a Los Angeles-based equity research firm, tells PaymentsSource. Sales probably will have a bit of a lift, he says.
The deadlines, and the potential for penalties for noncompliance, likely will increase merchant awareness of the security mandates, Luria says. “All of these things would encourage laggards to upgrade,” he says. “Some won’t do it, and they’ll drag it out and suffer the consequences.”
What do you think about this? Send us your feedback. Click Here.