PCI relaxation causes channel disquiet

Vendor LogRhythm claims changing compliance requirements sends mixed message

The relaxation of PCI DSS compliance requirements has been met with some concern by security vendor LogRhythm.

From 31 March, European merchants conducting 75 per cent of transactions on EMV-enabled chip and pin terminals will no longer need to demonstrate their compliance on an annual basis. But Ross Brewer, EMEA managing director of LogRhythm, pointed out that even qualifying firms will first have to prove their compliance before being accepted onto the new scheme.

Brewer added that other card issuers, such as MasterCard, will still require companies to be validated annually. Online retailers will also not benefit from the new rules, he said.

Brewer stressed that, "Visa should be applauded for trying to reduce the compliance burden for merchants using the latest secure technologies", but added that the move might give retailers mixed signals.

"Perhaps the most interesting thing about Visa's new initiative is the mixed message it sends out about the need to comply with industry best practices," he added. "After all, even if point-of-sale security is completely watertight, who's to say that the credit card details stored elsewhere in the merchant's IT infrastructure are just as safe?

"PCI compliance – as burdensome as it sometimes seems – still delivers benefits to merchants, as it helps them achieve best practice," added Brewer.