Skip to main content

News

 Login  Register for Login
Wish List (0) | Orders (0) | Basket (0)
Go Search
NACS Online > News & Media Center > News


Visa Announces Changes to Compliance Policy for Triple DES-PIN Implementation 
The dates haven’t changed, but enforcement changes may give retailers breathing room to comply.

by RSS Feed
Subscribe to the RSS feed.
by Email
Subscribe to the NACS Daily e-newsletter.
Posted: Apr 30, 2009     Email    Share    Print    Print ALL    Comment   

SAN FRANCISCO – On April 22, Visa issued an updated enforcement policy for Triple Data Encryption Standard (TDES) usage but leaves the implementation date of July 1, 2010, the same.

Under Visa’s announcement, the following is the new enforcement policy:

POS TDES Usage — Excluding U.S. Automated Fuel Dispensers (AFD) at Petroleum Merchants

  • October 1, 2009: Acquirers must submit to Visa a summary TDES compliance status report and plan to achieve full compliance for sponsored attended POS activity.
  • August 1, 2012: Acquirers may be assessed fines for sponsoring any non-TDES compliant merchants or agents.

U.S. Petroleum Merchants — TDES Usage

  • October 1, 2009: Acquirers must submit to Visa a summary TDES compliance status report and plan to achieve full compliance for sponsored AFD activity.
  • July 1, 2010: Acquirers may be assessed fines for merchants that are not using at least SDES Derived Unique Key per Transaction (DUKPT) or TDES.
  • Inside petroleum sales (non-AFD) will be managed under the POS category policy.

U.S. Petroleum Merchants— Encrypting PIN Pad (EPP) Usage

  • January 1, 2009: Acquirers may be assessed fines for newly deployed AFDs without TDES-capable Payment Card Industry (PCI)-approved EPPs.
  • October 1, 2009: Acquirers must submit a summary AFD EPP attestation for newly deployed AFDs at sponsored merchants.

The key change for petroleum retailers is that fines will not automatically be assessed to their acquirer for retailers using single DES DUKPT (Derived Unique Key Per Transaction) on their dispensers. The standard still calls for conversion to triple DES by July 1, 2010 as before. Fines, however, may not be automatically assessed to the acquirer now per the new statement.

Further, Visa cautions single DES users that in the event of a PIN compromise, their acquirers will continue to be subject to Account Data Compromise Recovery, Data Compromise Recovery Solution or similar program liabilities in addition to potential fines if the entity is found to be non-compliant with the PCI PIN requirements, including any use of single DES past July 1, 2010.

Visa cautioned that this enforcement policy is based on the current risk environment for cardholder PINs and may change with emerging threats. Further, Visa cautions single DES users that in the event of a PIN compromise, their acquirers will be subject to Account Data Compromise Recovery, Data Compromise Recovery Solution or similar program liabilities, including any use of single DES past July 1, 2010.

This implies that retailers willing to assume risk of non-compliance in the case of a breach can continue to use single DES DUKPT PIN Entry Device after the deadline provided there is a plan to upgrade to Triple DES after July 1, 2010.

NACS recommends that retailers contact their equipment providers(s) to determine what type of PIN pads are installed and what, if any, upgrades with be required to meet the retailer’s desired level of compliance.

Separately, Visa announced in its PCI FAQs that they currently have no plans to require retrofitting of deployed dispensers with the PCI Unattended Payment Terminal (UPT) 1.0 specification as part of any implementation schedule. Again, this is subject to change based on risk environments as judged by Visa.

Click here for: