PCI Compliance - New Requirements for Level 4 Merchants

Credit card breaches are not going away any time soon, that is for sure! While Healthcare breaches seem to be getting all the attention due to the sheer volume in records compromised, payment card data continues to be a prime target for hackers and organized crime entities. As a result, Visa recently announced some changes around PCI Compliance that are specific to Level 4 merchants that we need to share and explain as the changes can be a bit confusing.

First, what are the changes? There are actually two significant changes that were outlined recently and take effect on January 31, 2017:

1. Level 4 merchants must only use PCI Certified Integrator and Reseller professionals for point-of-sale application and terminal installation. The reason for this change, according to the Visa bulletin, is due to the fact that small merchants remain a primary target of hackers that are attempting to compromise and ultimately steal payment card data. In addition, forensic reports have indicated that the biggest risk or area of compromise for small merchants had to do with improperly configured applications and terminals, allowing hackers to gain remote access to these applications and terminals. By requiring Level 4 merchants to use PCI QIR professionals that have been certified by the PCI Security Standards Council, Visa believes that this will reduce the risk associated with breaches in small merchants
2. Level 4 merchants may now qualify for the Visa Technology Innovation Program (TIP). This is a program established by Visa that recognizes merchants that take appropriate measures to reduce the opportunity for fraud and compromise of payment card data through either investing in EMV technology or using PCI SSC validated point-to-point  (P2PE) encryption solutions. Be enrolling in the Visa TIP program, level 4 merchants will now be allowed to discontinue the annual PCI DSS validation assessment. 

When it comes to the Visa TIP program and the requirements associated with the program, there are some very specific warnings that need to be heeded.

• While participating merchants can discontinue the annual PCI DSS validation assessment for Visa, they must ensure that they remain PCI DSS compliant. This is not a free pass to abandon PCI DSS compliance, rather it allows the merchant the opportunity to not have to provide verification through the annual assessment to their acquirer.
• The Visa TIP program only applies to Visa, not the other card brands. In other words, if you accept the other card brands, such as Mastercard, you will most likely still have to complete an annual PCI DSS validation assessment and provide documentation of this to your acquirer. Again, this is not a free pass to abandon PCI DSS compliance so please be sure you check with your acquirer to ensure you meet their requirements and provide the documentation that they request.

PCI Compliance can be a confusing process, especially for smaller merchants, and what they are required to complete and document. As a Qualified Security Assessor (QSA) through the PCI Security Standards Council, Compass has had the opportunity to help merchants and service providers of all sizes achieve and maintain compliance with PCI DSS 3.1 requirements. For questions and assistance, please contact us as we would love to help!