Visa quietly rolls out three year security compliance rules

After threatening all sorts of measures against those major firms that accept plastic payments but who fail to meet its PCI-DSS security requirements, Visa has quietly rolled out a new set of requirements for all companies - large and small - that accept cards.

The good news is that the immediate comply-or-die requirements of PCI-DSS have effectively been replaced by a three year rolling series of initiatives.

Visa also says it is working with third-party software vendors to ensure that their systems and software meet the new requirements, so I suspect that most merchants will be able to meet the new Visa security requirements without changing their systems.

The slightly bad news is that very large companies that have developed their own in-house plastic payment systems will have to upgrade the security, which could prove expensive for them.

Their biggest headache - as I understand it - is that Visa no longer allows merchants to store customer card details in any shape or form, even if encrypted.

Many larger company card transaction systems often store this data in an encrypted audit log by default, so altering the audit logs could require a complete code rework for the company concerned. And that could be an expensive option.

The reworked PABT (Payment Application Best Practices) rules could, therefore, be even more of a headache than PCI-DSS, especially since the first deadline for Phase 1 is January 1, 2008.

From that date, those institutions that provide transaction processing to merchants will only be able to service systems and software that has passed the PABT rules.

Which means that a lot of transaction systems and software could be obsolete - quite literally - overnight...