Visa's PCI DSS deadline for Level 1 merchants falls today

News by Dan Raywood

The deadline for Visa's global mandate for compliance with the Payment Card Industry Data Security Standard (PCI DSS) falls today.

The deadline for Visa's global mandate for compliance with the Payment Card Industry Data Security Standard (PCI DSS) falls today.

In a statement in 2008, Visa said that by today it will require acquirers to provide an ‘Attestation of Compliance' for each of their Level 1 merchants to demonstrate that each has validated full PCI DSS compliance.

After today, Visa said that it will impose appropriate risk controls, up to and including acquirer fines for failure to provide an attestation form to Visa confirming that each of its Level 1 merchants has validated full PCI DSS compliance.

The specific requirements are for Level 1 merchants, who process more than six million transactions annually.

A survey by Tripwire from earlier this year found that a third of merchants do not understand the requirements of PCI DSS compliance and only 11 per cent were certified as compliant.

Rob Warmack, senior director of international marketing at Tripwire, told SC Magazine that he felt that with this deadline and the next version of the standards it was all going in the right direction. He said: “It is better for security and many requirements are more specific, there is scope to inform that retailers are doing it wrong. It is about telling those who don't have a policy that it is on the message.”

Alan Bentley, SVP international at Lumension, said: “PCI compliance might have been around for some time, but merchants are still struggling to get their heads around the requirements.  The September 30th deadline is mandating that Level 1 merchants now comply with the original v1.2 guidelines.

“However, the compliance puzzle doesn't end there as Version 2.0 is just around the corner meaning, merchants not only need to be concerned about their ability to prove compliance with v1.2, but with the steps they need to take to get to the next stage of compliance.

“All too often, organisations fall into the compliance trap and focus all their efforts on meeting the requirements of a new deadline, without thinking about the bigger picture. This broken compliance strategy is not only costly, but ineffective when it comes to security. Taking a myopic view of regulatory compliance creates a situation where merchants are constantly reinventing the wheel, wasting time and effort, and ultimately blowing security budgets.

“Merchants must avoid detaching risk management from compliance. PCI standards are designed as a starting point to helping build a strong security posture, but are specifically concerned with payment card data.”

Michael Norton, managing director of, said: “PCI DSS is something all online retailers simply cannot ignore. If you're in business online you need to be able to prove your systems are compliant if you are to avoid a weighty fine.

“The requirements, though, are steep, the documentation runs to over 70 pages so many smaller businesses just don't have the space to do it for themselves. Outsourcing the entire payments process to specialist payment service providers can sidestep the issue. As these companies have already adopted PCI DSS, their customers comply by default. It means they are safeguarded from future changes to the rules, and can also benefit from additional capabilities, such as online fraud detection.”

LogRhythm pointed out that from this point, any smaller company suffering a breach will be automatically moved up to level one status, resulting in additional policies, procedures and higher costs.

VP and MD of international markets at LogRhythm, Ross Brewer, said: “Many merchants are falling into the trap of viewing PCI DSS as a list of requirements that simply need to be ticked off a list within a specific timeframe. However, compliance is not a one-time only requirement, instead organisations should approach it as an ongoing process that requires the automation and optimisation of increasingly complex IT and data operations.”

He also believed that merchants are all too often treating PCI compliance as the responsibility of a single business division, without considering how the measures it prescribes can improve operational efficiency across all areas of the organisation.

“Many merchants are taking a siloed approach to PCI DSS, thinking about how it impacts card transaction procedures, rather than viewing it as a set of best practices that can actually improve the performance of the entire business,” he said.

“While such ‘knee-jerk' responses to PCI mandates may seem relatively cheap to implement, in reality they are a false economy. Instead, it makes sense to deploy monitoring solutions that can add value in as many areas as possible, after all, there is a significant difference between simply complying and actually doing something that benefits the business as a whole.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews