Although they are both very important and they are often used in the same discussion, Compliance and Risk Management can be two very different approaches to the same problem.

On the one hand, Compliance is about complying with some particular rules and regulations at a particulare point in time. Specifically, when it comes to Cardholder Data, these rules are mentioned by the PCI DSS (Payment Card Industry Data Security Standards), a series of requirements that must be followed by Merchants that accept payment through payment cards, store/transmit Cardholder Data and/or may face fines from their Acquiring Bank for not being PCI compliant. These requirements are designed to ensure that each merchant is keeping up with the appropriate practices for keeping cardholder data safe.

Risk management, on the other hand, is when a business forecasts and evaluates potential risks, allowing them to have procedures and action plans in place for when (or if) something goes wrong. This allows a business to be prepared; even in times when they have been assessed as compliant. It's about being proactive rather than reactive!

Know the difference when you deal with PCI DSS.

Merchants need to understand the difference between "being compliant" and "manage risks" because when you are Compliant with the rules and have followed the requirements, it can be easy to forget about them and fall back on poor security practices and make compliance a tick box exercise without really managing security risk.

Compliance is actually an ongoing process, and organisations must think about security all the time. Instead of achieving compliance and feeling satisfied, they should manage potential risks and act proactively to prevent hacks and breaches on a daily basis.

For Acquiring Banks, one major issue is that they may only focus on merchants that are close to reaching compliance. While compliance is important, it's just as important that Acquirers also focus on all the merchants within their portfolios that also pose a significant risks. Acquirers need to consider running risk-based activities with their merchants in order to put preventive measures in place.

Introducing the VISA Europe Mandate

With PCI DSS in mind, VISA Europe has recently stepped up regarding the Risk Management vs Compliance discussion. VISA Europe's new Mandate is set to go live on the 1st of May 2016, and it aims to make organisations more accountable for their actions.

For example, under the mandate, Merchant Portfolio reporting will go from a quarterly schedule to reports every six months. Acquirers will have to achieve the nominal target of 90% compliance for each merchant level (1, 2, 3, 4) and those who fail to meet the target for any merchant level will have to provide a plan for the next 12 months. Moreover, those who fall significantly below the expectations set by the VISA Europe Mandate may find themselves being formally audited by VISA Europe.

Other aspects of the VISA Europe Mandate include Acquirers incentivising the use of VbV (Verified by VISA), promoting incident response plans with their merchant portfolio (ensuring that breaches are disclosed in a timely manner.

At first sight it may seem that a lot of pressure is being put on Acquirers but the idea is that, if Acquirers support their merchant portfolios when it comes to IT security, both the amount of risksand the potential associated financial penalties will decrease. It should also allow Acquirers more flexibility to manage their portfolio risks in order to preserve the integrity of the payments ecosystem.

Conclusions

As you can see, Risk Management is definitely the way to go. VISA Europe's new Mandate is a great step towards a risk-based approach that allows those who manage merchant portfolios (we call them Merchant Portfolio Authorities - MPA - e.g. acquirers/processors, PSP, aggregators, franchises, etc.) and Merchants think about PCI Compliance in a different way, not as an end status but as an important achievement to monitor and protect constantly.

We understand that the VISA Europe Mandate may seem like a daunting set of changes, as it not only features practical methods but cultural shifts too. So, to make things much more understandable, Advantio hosted a live webinar on this important topic.

The Webinar is offline but..

Called 1st May 2016: Are You Ready To Comply With The Latest VISA Europe Mandate? the webinar was led by Neira Jones on the 25th of February 2016.

Over the course of a thirty minutes presentation, Neira explained the main cultural changes that the mandate brings, along with an in depth look at the new fines and how you can avoid them, letting you be fully prepared ahead of the big shift in May 2016.

Do you want to know more about the Visa Europe ? Get in touch with us.

Marco Borza

Written by Marco Borza

I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.

Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA