Staying Compliant: Visa's New Level 4 Requirements

It’s not just the large merchants that need to be compliant.

Visa now requires all Level 4 merchants in the US and Canada to validate PCI DSS compliance annually.

Visa has always required Level 4 merchants to comply with the PCI DSS. But now Visa requires annual validation of that compliance.

The EMV shift in the United States has prompted fears of a coming spike in card not present fraud, like we saw in Europe and Canada after EMV implementation. As an acquirer, ensuring merchants are compliant with the PCI DSS will reduce the chance your merchants fall victim to these hacks.

See also: Top Ten PCI Requirement Failures: Where is Your Business Struggling?

‍Why Level 4 merchants?

‍Small merchants want to sell their products and services, not worry about data security. Many may not consider security a top priority since they don’t deal with large amounts of card data and their resources are already stretched thin. They feel hackers won’t bother with them since they’re small.

The truth is, while most hacks that appear in the news are from large companies, the majority of hacks are with small companies—the low-hanging fruit.

For hackers, the size of the company isn’t necessarily an issue; if there’s data easily available, they will steal it.

See also: How do Hackers Hack?

Visa's new level 4 requirements

Visa has established new PCI DSS requirements for acquirers in the US and Canada to better ensure card data security:

• Effective March 31, 2016, acquirers must communicate to all Level 4 merchants that beginning 31 January 2017, they must use only Payment Card Industry (PCI)-certified Qualified. Integrators and Reseller (QIR) professionals for point-of-sale (POS) application and terminal installation and integration.
• After January 31, 2017, acquirers must ensure that Level 4 merchants using third parties for POS application and terminal installation and integration engage only PCI QIR professionals.
• After January 31, 2017, acquirers must ensure Level 4 merchants annually validate PCI DSS compliance or participate in the Technology Innovation Program (TIP).

Level 4 Merchants must use Qualified Integrators and Reseller Professionals

‍According to many forensics experts, incorrectly installed and misconfigured POS devices have been linked to a growing number of data breaches. Experts noticed security gaps in remote access services, which create significant data security risk.

See also: SecurityMetrics PCI Guide‍

Starting next year, Visa requires all merchants to have POS devices installed and configured by a company listed on the PCI SSC QIR Companies list. This will ensure the equipment they use will operate more securely, keeping card data secure.

Visa also mentions in the announcement that they plan to update bi-annual reporting requirements to include reporting on the new QIR requirement.

‍What do Visa's new level 4 requirements mean for acquirers and merchants?

‍As a result of the new deadlines, acquirers who don’t run a compliance program may be looking to start one. Acquirers who run a less aggressive program may want to increase outreach and education to merchants.

Merchants will continue to be responsible for fines and fees related to a breach and Visa has a reminder in the announcement that all merchants are still expected to comply with the PCI DSS.

If these new requirements aren’t fulfilled, acquirers and Level 4 merchants could potentially face fines and penalties, especially in cases where card data is stolen.

See also: 7 PCI Compliance Tips for Small Businesses

Technology Innovation Program and the new validation deadlines

Acquirers can continue to approve merchants for inclusion in Visa’s Technology Innovation Program (TIP), which allows acquirers to apply with VISA for a merchant to be exempt from having to validate compliance. Merchants that use technology such as EMV or point-to-point encryption (P2PE) are potential candidates.

To qualify for TIP, merchants must:

• Ensure sensitive authentication data isn’t stored after a transaction.
• Verify that at least 75 percent of all transactions originate through either a dual-interface EMV terminal or a validated P2PE solution.

Visa requires that acquirers report on TIP merchants bi-annually.

Getting your merchants compliant is easier than you think

• Partner with a reputable ASV: The new validation requirements will most likely be met by partnering with an ASV that has experience in mass compliance.
• Educate Merchants: Start security education during the sales process and continue a regular program of education through on-boarding and servicing.
• Train Internal Staff: Training internal staff including sales, risk, operations, service experts, and even C-level will ensure a culture of security.
• Find a way to fund the compliance program: Many acquirers have found innovative ways to continue to fund a compliance program even as compliance rates increase, reducing non-compliance revenue.

Maintaining PCI compliance no matter how large or small your company can keep criminals from ruining businesses and lives of business owners. Acquirers that assist merchants in staying up to date with PCI DSS will also save a lot of headaches in the long run.