United States

Evaluating the Visa TIP program: Is it right for your business?

INSIGHT ARTICLE  | 

In October 2012, Visa launched its Technology Innovation Program (TIP) as an alternative evaluation and reporting process to the traditional Payment Card Industry Data Security Standard (PCI DSS). Merchants enrolled in TIP now have the opportunity to bypass complying with the PCI DSS annually by implementing a comprehensive set of up-to-date security functions within their organizations.

Would Visa TIP be a good fit for your organization? To be accepted into TIP, a merchant must formally apply to be accepted and comply with a prescribed set of criteria set by Visa. These criteria include:

  • Confirmation that a minimum of 75% of all transactions go through either: currently validated EMV chip reading terminals that pass the Acquirer Validation Toolkit (ADVT), Contactless Evaluation Toolkit (CDET) or Visa payWave Test Tool (VpTT) testing requirements, as applicable to each merchant per Visa. Contact-only or contactless-only card terminals do not qualify for TIP.
  • Validated point-to-point encryption solutions should be assessed by a PCI Security Standards Council Qualified Security Assessor point-to-point encryption company as defined by Visa.
  • Confirmation that all sensitive authentication data is not stored within an organization’s environment per the PCI DSS. This includes any element of the full contents of the magnetic stripe, CVV2 and PIN data per Visa.
  • Acquirers must confirm that all Level 4 merchants who use third-party point-of-sale applications have terminal installations completed only by PCI-qualified integrators and resellers (QIR) per Visa requirements.
  • The qualifying merchant must not have been involved in a breach involving cardholder data. An exception to this rule would be if the merchant was validated through the PCI DSS.

In summary, Visa TIP rewards merchants with less requirements if they implement secure technologies within their environments. Another bonus? If a merchant becomes a member of TIP, they can also join American Express’s Security Technology Enhancement Program (STEP), which has very similar requirements.

Despite these benefits, the program may not be the right option for everyone. For example, we have clients who have been eligible for TIP, but have not chosen to join it due to their organizations’ stances on keeping up with global security trends within and outside of their businesses. TIP could be a great option for your business, but it is also imperative that your organization does not ignore other security challenges that could be present.

Visa TIP and the challenges of today

We are in a very unique situation due to the COVID-19 pandemic that has swept over the globe. Noncontact transaction methods such as e-commerce and mail orders have become imperative for many different industries, since most stores have been closed to the public or access has been limited. Other methods such as curbside transactions have taken on a new prominence by keeping businesses viable through these difficult times.

According to Census.gov, 45.3% of business owners believe that it will take more than six months to resume normal operations so it could be more challenging to meet the strict TIP guidelines provided by Visa. It should also be noted that merchants that process the majority of their sales through e-commerce or mail will not be eligible for TIP. This is especially prevalent given the situation with COVID-19, where a majority of retail stores and shops have some form of restrictions due to state guidelines.

Other industries could also face problems entering TIP. For example, gas stations that have not implemented point-to-point encryption enterprise-wide would not be eligible for TIP. Seventy-five percent of all transactions would need to go through point-to-point encryption to become eligible for TIP. Many gas stations have not implemented updated point-of-sale devices at their pumps, so this is a problem that would need to be addressed before applying to TIP.

Furthermore, many merchants that feel ready to apply for TIP are still missing requirements. Even after the COVID-19 pandemic, striving to be accepted into TIP could be contrary to a merchant’s best interests due to the amount of requirements that would need to be fulfilled before applying.

Would TIP be a smart venture for you and your organization? If your company meets the standards and can keep security at the forefront of your responsibilities, it could be a good fit. However, TIP has checkpoints you must meet and given the current pandemic, it may be difficult to comply with some of the requirements. Working with a qualified advisor can help you determine whether TIP is the right move for your business, and if so, begin to develop a road map for compliance.

AUTHORS


How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.


Receive Risk Bulletin by Email

SUBSCRIBE


Cybersecurity Rapid Assessment®

Complete our Cybersecurity Rapid Assessment form to be contacted about receiving our "quick-hit" evaluation of your organization’s overall security risk.

LEARN MORE




Events/Webcasts

RECORDED WEBCAST

Effectively managing enterprise risk for board members

  • September 23, 2020

RECORDED WEBCAST

RSM 2020 cybersecurity special report

  • July 14, 2020