There have been numerous articles over the past several days covering Visa’s plans to push U.S. merchants to adopt EMV-enabled payments. Visa said merchants who have at least 75 percent of their Visa transactions originate from chip-enabled terminals will be able to forgo the cost of annual PCI compliance certification. To qualify for the PCI compliance waiver, terminals must support both contact and contactless transactions, including mobile contactless payments based on Near Field Communications (NFC) technology.
With this announcement, Visa isn’t targeting all merchants, they’re really incentivizing the Level 1 and 2 merchants, as they pay the most for Payment Council Industry compliance and they have the most to gain. Clearly this is Visa’s strategy to gain market share in the NFC race, and once these larger merchants accept this type of payment the pressure will fall to the Level 3 and 4 merchants to adopt the technology as well. The irony here is that larger merchants are already using POS systems which operate in relatively high threat environments. To incentivize them to avoid PCI compliance costs with EMV-enabled payment terminals doesn’t make much sense, unless they are betting that Level 1 and 2 merchants already have PCI requirements in place. On the other hand, Level 4 merchants may not follow suit to upgrade their payment terminals, as the requirements for PCI compliance are so loosely defined there is no incentive for them to do so.
It does appear that Visa is using PCI compliance as a sacrificial lamb to gain market share with NFC payments. If you believe that’s the case than it means one of a few things.
- Visa doesn’t care about data security and loss of cardholder data.
- Visa doesn’t believe that PCI is an effective way to protect cardholder data and is somewhat giving up on PCI.
- Visa believes that the loss of cardholder data is now a fact of life and doesn’t believe the breaches are that damaging to the brand.
- Some combination of all three.
I believe the latter to be true and Visa is essentially saying, “PCI isn’t really working so we’ll exempt the merchants from the regulations if they help us push NFC and help us capture market share before the other guys do.”
Henry Helgeson is co-chief executive officer of Merchant Warehouse, a provider of merchant accounts and credit card processing solutions.