Visa relaxes PCI stance

Card giant says it will give firms more time to comply with the data security standard

Credit card provider Visa has offered an olive branch to firms struggling to meet stringent Payment Card Industry Data Security Standards (PCI DSS), saying it will not penalise companies if it judges that they have made best efforts to comply.

The PCI DSS was created by the credit card companies in an effort to increase the security around cardholder data. It requires all firms that transmit, process or store credit card data to meet a 12-point list of requirements, including implementing strong encryption and user access controls.

However, a general lack of awareness about the standard exists among UK firms, and many failed to meet the 30 June deadline for compliance.

At a roundtable hosted by transaction management specialist The Logic Group, Stanley Skoglund, head of compliance and business support at Visa Europe, sympathised with retailers struggling to meet the PCI standard, explaining that Visa's own legacy IT systems had caused it many compliance problems.

"If an organisation shares its plans with us and the timeline itís working towards, and it is not storing [cardholder] data, then that is an acceptable position," Skoglund explained. "They must move forward, but if they do everything in the interim to mitigate risks it is to be applauded because it is a difficult thing to do."

Skoglund added that Visa has no plans to make an example of any big-name, non-compliant retailers by penalising them. Instead, he said the card giant is making greater efforts to listen to retailers' concerns, although more needs to be done to facilitate greater understanding between all industry stakeholders.

Gareth Wokes, chairman of The Logic Group, argued that his customers, which include the top 10 retailers in the UK, are finally beginning to understand the requirements and implications of PCI DSS.

"It's been a long journey but we are getting there and having conversations with customers who understand it," Wokes added. "PCI is about [reducing] organised crime, but now good governance requires retailers to consider it."

Skoglund added that Visa would continue to help its users. "My role is taking the tension out of the relationship between banks and retailers [and us] and getting them round the table," he said.

If all stakeholders were on the same page, the security initiative rolled out by Visa and MasterCard - known as 3-D Secure - may have been more effective, Skoglund argued. "The problem was on the issuing side of things, getting the banks to roll out to customers in a way that the customers would understand how to use it," he explained. "There was not a concerted effort across all UK markets."