Monday, July 30, 2012

Visa's PCI compliance policy change: The end of the PCI assessment?

Does Visa's recent policy change on compliance assessments for the Payment Card Industry Data Security Standard (PCI DSS) mean the death of the PCI assessment?

Image source: Searunner
This change, which provides that merchants meeting certain criteria no longer need to undergo PCI assessments, may have many merchants and security professionals jumping at the idea of not having to fill out those lengthy annual self-assessment questionnaires (SAQs) anymore during the compliance validation process, but the PCI DSS program is here to stay and the SAQs probably are too.

The good news for merchants is that several movements on the rise may limit the number of merchants required to fill out the assessment forms and reduce the amount of time needed to complete them, including clearly defining the cardholder data environment, outsourcing credit-card processing, and using Europay, MasterCard, and Visa (EMV) "chip and PIN"-enabled terminals.

Read Mike Chapple's discussion on the PCI community's shift toward "a risk-based approach that reduces the burden on merchants not engaged in high-risk activities."

No comments: