Stepping Up PCI Compliance

Common sense is entering the picture finally...

Although it was already too late to prevent the TJX data breach, Visa in December said it would begin offering $20 million in financial incentives and create new sanctions to spur merchant compliance with PCI through its Visa PCI Compliance Acceleration Program. "The initiative's goal is to eradicate the storage of full-track data, CVV2, and PIN data, and grow PCI compliance among this group of merchants," Visa said in a statement at the time. Merchants in full compliance with PCI by March 31, and who have not had any of their data compromised, will be eligible to receive a one-time payment, although Visa doesn't specify the amount.

Visa has for the past two years been handing out fines for noncompliance with PCI. In 2006, Visa assessed $4.6 million in fines, up from a 2005 total of $3.4 million. Banks that process credit card transactions for businesses will be fined up to $25,000 monthly for any of their largest merchants--those that process more than 1 million Visa transactions annually--not in compliance with PCI by the end of the year.

These banks also are required to assure Visa that their merchants aren't storing full-track, CVV2, or PIN data by March 31, or the banks will be eligible for fines up to $10,000 per month.