+44 (0)20 7877 0060 contact@2-sec.com
Select Page

PCI DSS vs Operating Regulations

I came across an interesting interpretation of PCI DSS recently, whereby a Merchant thought that just because they had been assessed compliant against PCI DSS, then all assessed payment channels also met the security requirements of Visa Operating Regulations.

SAQ-C-VT (Virtual Terminal) is a standard that can be used to assess card-not-present and card-present transactions that are entered directly into a Virtual Terminal.  Let’s take a hosted payment page as an example, where transactions are entered one at a time for face to face payments, or entered by a call centre operator.

The standard happily lets you assess against it – there are no warning bells or advice given that Virtual Terminals might breach operating regulations, and as a result there has been a slow infux of payment systems where card number and card security code are being used to process card-present transactions.

This is wrong.  Or at least wrong in Visa Europe’s eyes.  All face to face payments MUST be taken using Chip and PIN (EMV) in order for a merchant to comply with Visa Europe operating regulations.

If as a Merchant you are looking to change the way you take payments, then speak to your acquiring bank first.  Don’t rely on advice provided by a QSA (we’re here to assess against PCI DSS only) and don’t rely on information provided by mobile POS vendors, as you’d quickly be in a fix.

That said, if you do use card-not-present methods to take card-present transactions, then do bear in mind that your bank, or indeed card scheme, is probably not going to notice until things go wrong.