On the 1st of May 2016, Visa Europe mandate officially went live. The European mandate aimed to make organisations more accountable for their security, as it included changes to Merchant Portfolio reporting (which is now every six months instead of three) and it also saw Acquirers having to achieve a nominal target of 90% compliance for each Merchant Level, with those who fall significantly below the mandate’s targets potentially being formally audited by Visa Europe.


However, Europe is not the only region that must become more secure in terms of cyber security as Visa has also updated the mandate for Acquirers in the United States and Canada, regarding small merchant breaches. The organisation has now unveiled the deadlines for this update.

What is the Small Merchant Security Mandate?

In its small merchant security program requirements update, which can be found here, Visa explains that small merchants in the United States and Canada are a regular target for hackers who are trying to compromise payment data and that “investigators have identified links between improperly installed PoS applications and merchant payment data environment breaches.” It also says that “forensic reports note security protocol gaps in remote access services that integrators and resellers use to provide monitoring and software support.”

When is the deadline?

As a result, the organisation is releasing this mandate so that Acquirers “ensure their small merchants are taking steps to secure their environment.”

The updated deadlines for the mandate’s requirements are as follows:

  • (NEW) Effective 31 March 2016, acquirers must communicate to all Level 4 merchants that beginning 31 January 2017, they must use only Payment Card Industry (PCI) certified Qualified Integrators and Reseller (QIR) professionals for point-of-sale (PoS) application and terminal installation and integration.
  • Effective 31 January 2017, acquirers must ensure that Level 4 merchants using third parties for PoS application and terminal installation and integration engage only PCI QIR professionals.
  • Effective 31 January 2017, acquirers must ensure Level 4 merchants annually validate PCI DSS compliance or participate in the Technology Innovation Program (TIP).

Visa also says that “single-use terminals without Internet connectivity are considered low risk and may be excluded from these requirements.” And, “if a merchant does not use a third party for PoS application or terminal installation, integration or maintenance, the requirement to use a QIR does not apply.”

Moreover, Level 4 merchants can now qualify for the Visa Technology Innovation Program (TIP) “which recognizes and acknowledges merchants that take action to prevent counterfeit fraud by investing in EMV technology or PCI SSC validated point-to-point encryption (P2PE) solutions.” To qualify, Level 4 merchants must confirm that they do not store “sensitive authentication data” (e.g CVV2 and PIN data) and they must ensure that at least 75% of transactions go through an enabled and operating EMV chip-reading terminals or a PCI SSC validated P2PE solution (listed on the PCI SSC website).

We should also note that this mandate only affects those in the United States and Canada for the time being. Visa“will continue to evaluate whether the requirements should be expanded to acquirers in other countries.”

What are the risks of non-compliance?

Just like with Visa European mandate, the organisation expects acquirers to report back to them biannually. The small merchant security mandate update bulletin notes that Visa will “update the Biannual Acquirer Reporting template to capture additional information regarding merchants’ use of QIRs, chip terminals, P2PE solutions and service providers. Visa will distribute details on the revised reporting template to clients in 2016.”

Visa also notes that it “requires that clients, their merchants and agents comply with PCI DSS and all relevant policies, as well as the validation and reporting requirements outlined in Visa data security compliance programs, including the Account Information Security Program.”

It also says that it will work closely with clients to make sure that they understand the new requirements.

That said, the organisation also states that “failure to comply with these requirements” may result in non-compliance assessments for the client and that “in the event of a compromise linked to a merchant’s non-compliance with Visa Rules or PCI DSS, acquirers may be subject to non-compliance assessments.”

Moreover, “in the event that a compromise of cardholder data is determined to be the result of an integrator / reseller’s non-compliance with QIR Program requirements, the QIR may be de-listed (if they are a current program participant)” and Visa may impose “additional risk controls.”

Visa also says that it “will not proactively enforce or measure compliance with the new requirements at an individual merchant level.”

Marco Borza

Written by Marco Borza

I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.

Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA