After months of negotiating contracts and fees in the US for Visa PCI compliance assessments, I just ran into this odd bit of news from Canada that Visa has offered to provide free scans indefiniately. Does this mean there is no need for a certified PCI assessor if you are a Tier 2 merchant or smaller?
According to Visa, the free service, which uses a U.S. vendor but is available across the Asia-Pacific, will be provided “indefinitely” at this point to all merchants that accept Visa cards for payment of goods and services.
Lodens [Visa’s head of third-party assurance] said Visa’s main message, that merchants and third-party processors should not be storing card information, remains unchanged.
“If there is a need for that, then [merchants] need to protect the information,” he said, adding that card-holder data should not be stored. “Where we see incidents of compromise is because merchants are unnecessarily storing information.”
Yes, please do encrypt if you must store the data. And please do protect the keys if you must encrypt…but free security scans from the Payment Card Industry? More research required.