Veritape Ltd.

Alkrington Hall, Alkrington, Manchester, M24 1WD, UK
tel. +44 (0) 845 899 5500 fax. +44 (0) 8458 99 55 11
www.callguard.co  info@callguard.co

  Print This Post

CallGuard Blog

Meeting the requirements of Visa’s Technology Innovation Program (TIP) in call centres

Visa Europe has been operating a Technology Innovation Program (TIP) since April 2011. The TIP is designed to reduce compliance assessment requirements for merchants processing most of their transactions through EMV (”chip and pin”).

As of 01 October 2012, the TIP will be active in the USA (PDF). To qualify, merchants in the USA need to meet these requirements:

  1. The merchant must have validated PCI DSS compliance within the previous 12 months or have submitted to Visa (via their acquirer) a defined remediation plan for achieving compliance, based on a gap analysis.
  2. The merchant must have confirmed that sensitive authentication data (i.e., full contents of magnetic stripe, CVV2 and/or PIN data) is not stored, as defined in the PCI DSS.
  3. At least 75 percent* of the merchant’s total transaction count must originate from dual-interface (contact/contactless) enabled chip-reading device terminals.
  4. The merchant must not be involved in a breach of cardholder data. A breached merchant may qualify for TIP if they have subsequently validated PCI DSS compliance.

(* Visa Europe stipulates that this figure should be 95% for EU merchants.)

Over time, as EMV enters the US market, and device terminals are changed for those which support EMV, brick-and-mortar retailers could easily find that they’re achieving 75% of payments in dual-interface terminals.

But what about the remaining proportion, some of which may be processed through contact centres? It’s here that meeting the second Visa TIP requirement becomes a challenge. Let’s have a look at it again:

The merchant must have confirmed that sensitive authentication data (i.e., full contents of magnetic stripe, CVV2 and/or PIN data) is not stored, as defined in the PCI DSS.

Historically, this has proven a challenge for organisations of all sizes, in the contact centre environment. Under the PCI DSS requirements, CV2 data must not be stored at all, post-authorisation, in any format. This includes in telephone call recordings. So to ensure that the Visa TIP remains accessible to you, you need to remove CV2 information from your call recording environment, as a minimum.

Luckily, there are 5 ways in which you can do that. Some are easier than others, and some will not be relevant to your situation. We’ve put together a handy guide to help you decide which approach is best for you. You can read it here: http://www.callguard.co/2011/08/five-ways-to-make-call-recordings-pci-dss-compliant/.

One more thing

If you process only Visa transactions, you can stop reading now. Move along, nothing further to see.

Still here? Yes… because as Branden Williams points out, no merchant processes only Visa transactions, right? It therefore seems unlikely that there would be any organisation which could actually use the TIP to reduce its assessment burden right now. However, we concur with Branden, and we hope (even expect?) that the other card brands will follow suit, and allow many merchants to reduce their compliance costs and burden in the near future.



 

© Veritape Ltd 2012