PCI Council’s New EMV Payment Token Rules Are Worth Reading Closely

The PCI Council in late December rolled out its security rules for token service providers for EMV payment tokens, which overwhelmingly deals with mobile transactions. Today, the card brands handle the vast majority of tokens issued, but the council expects that to sharply change now that EMVCo has released the specification. Given the importance of tokens to payment facilitators, it’s worth a read.

One of the fun things that this document does, in pure PCI Council fashion, is deliver more acronyms. Yes, these are brand acronyms. (No, no need to thank them.) One is TDE, for Token Data Environment. An important term—not an acronym yet, sadly—is Payment Token Data, which has a very specific definition: “Covers a number of discrete data elements, including the Payment Token and related data as defined in the EMV Payment Tokenisation Specification Technical Framework, which include the Payment Token Expiry Date, Payment Token Requestor ID, Payment Token Assurance Level and Payment Token Assurance Data.”

Read More

Visa Adds New Level 4 PCI Requirement, As The PF Attractiveness Gets A Lot Stronger

In a late holiday gift for PFs everywhere, Visa has upped the requirements for PCI Level 4 (small businesses) merchants. Specifically, as the end of January 2017, those small merchants “must use only Payment Card Industry (PCI)-certified Qualified Integrators and Reseller (QIR) professionals for point-of-sale (POS) application and terminal installation and integration.”

Although few would argue that using trained and approved vendors to do any POS work is not a good idea, merchants are already feeling that the burdens of getting and staying PCI compliant are too high. Given a PF’s willingness to take on all of the PCI aggravation, that offer just got more attractive to Level 4s.

Read More