A few days ago, Visa announced a new Technology Innovation Program (TIP) that will allow merchants outside of the United States to be exempt from having to validate for PCI DSS. This program will go into effect on March 31, 2011.
The TIP program allows non-US merchants to discontinue their compliance with PCI DSS if they meet these criteria:
- Must have validated PCI DSS compliance previously
- Confirmed that sensitive authentication data is not stored
- At least 75% of their Visa transactions originate from chip-enabled terminals (Chip-n-PIN, EMV technologies)
- Must not be involved in a breach of cardholder data
Several caveats to consider:
- Although Visa may waive the annual validation requirement, all merchants are still required to maintain on-going PCI DSS compliance
- Merchants are still obligated to prove PCI DSS compliance with other card brands such as MasterCard, Amex, Discovery, etc.
- Acquirers retain full responsibility for merchants’ PCI DSS compliance, including fines or penalties if a data breach occurs
- Only applies to merchants outside the US
In summary, Visa’s TIP program won’t have a significant impact on merchants until other card brands follow with similar initiatives, and merchants still have to be PCI compliant at all times (regardless of whether they need to validate or not)!
Reach out if you have any questions.