"If the cards are secure and the data cannot be used even if stolen, and there is no need to worry about data at rest or auditing data at rest, then there is no need for PCI," she said.
Litan said that Visa's program is a good incentive for countries that are in the midst of upgrading their payment systems. But for it to be really meaningful, others card issuers such as MasterCard, American Express and Discover will also need to waive the need for PCI compliance validation for such merchants, she added.
Perez said Visa is unable to extend the program to the U.S. because of the uncertainties created by proposed debit-card restrictions by government.
The new rules, which are scheduled to be finalized in April, will, among other things, cap the fees that debit card issuers can charge merchants for card transactions.
The rules as proposed are expected to substantially cut into the profits being made on card transactions by banks and credit card companies.
Perez did not explain why that fact would have any direct bearing on Visa's decision not to extend its new incentive program to U.S. merchants. However, a statement released by Visa announcing the program suggests that the decision may be tied to concerns that financial institutions will be unwilling to make EMV technology investments at a time when they are likely to lose billions in revenue.
Sign up for Computerworld eNewsletters.