PCI DSS vs Operating Regulations
I came across an interesting interpretation of PCI DSS recently, whereby a Merchant thought that just because they had been assessed compliant against PCI DSS, then all assessed payment channels also met the security requirements of Visa Operating Regulations.
SAQ-C-VT (Virtual Terminal) is a standard that can be used to assess card-not-present and card-present transactions that are entered directly into a Virtual Terminal. Let’s take a hosted payment page as an example, where transactions are entered one at a time for face to face payments, or entered by a call centre operator.
The standard happily lets you assess against it – there are no warning bells or advice given that Virtual Terminals might breach operating regulations, and as a result there has been a slow infux of payment systems where card number and card security code are being used to process card-present transactions.
This is wrong. Or at least wrong in Visa Europe’s eyes. All face to face payments MUST be taken using Chip and PIN (EMV) in order for a merchant to comply with Visa Europe operating regulations.
If as a Merchant you are looking to change the way you take payments, then speak to your acquiring bank first. Don’t rely on advice provided by a QSA (we’re here to assess against PCI DSS only) and don’t rely on information provided by mobile POS vendors, as you’d quickly be in a fix.
That said, if you do use card-not-present methods to take card-present transactions, then do bear in mind that your bank, or indeed card scheme, is probably not going to notice until things go wrong.