Visa Reports Progress on PCI Among Large and Small Merchants

Signaling further progress among merchants toward compliance with a key data-protection mandate, Visa USA announced this week that 40% of the largest merchants accepting its cards now comply with the Payment Card Industry data-security standard (PCI). Further, some 96% of these merchants have certified they are not storing account data, such as security codes and PINs. This is up from a 35% compliance rate and 93% not storing account data at the end of March (Digital Transactions News, April 26). Among these so-called Level 1 merchants?businesses that process more than 6 million Visa transactions annually?another 50% are working to correct security problems on the way to full compliance, Visa reports, adding that the remaining 10% of merchants in this class are working on their first PCI assessments. Level 1 merchants must show compliance with PCI by Sept. 30, except those identified by Visa this year, which must validate compliance by Sept. 30, 2008. Visa relies on acquiring banks in its network to identify merchants and report on progress toward compliance. Visa's progress report comes amid rising concerns about electronic theft of card data from merchant point-of-sale systems, concerns that were intensified by TJX Cos. Inc.'s announcement in January that hackers had stolen customer information from its system. The company, which operates the TJ Maxx and other chains, ultimately determined the thieves had gained access to nearly 46 million accounts, the largest such breach on record. Level 1 merchants account for roughly half of all Visa POS traffic in the U.S. Because of major breaches like that involving TJX, industry attention has focused on the problem of electronic storage by merchants of data such as card-verification values and PINs. PCI includes a requirement that merchants not store these so-called prohibited data captured during transactions. “We know that merchants that store full magnetic-stripe data expose themselves to risk exponentially,” said Michael E. Smith, senior vice president of enterprise risk and compliance at Visa, in a statement. “By removing prohibited data from their payment systems, large and small businesses alike are denying hackers the data they covet for use in counterfeiting payment cards.” Among smaller merchants, Visa reports that one-third of Level 2 businesses have now shown compliance with PCI, up from 26% four months ago. Forty-two percent are in the midst of correcting security problems, a process Visa calls remediation, and another one-quarter are starting the validation process. Those Level 2 merchants identified in 2006 have until Dec. 31 to comply. Those identified this year must comply by the end of 2008. Level 2 merchants handle between 1 million and 6 million Visa transactions yearly. Meanwhile, 52% of e-commerce sites doing 20,000 up to 1 million annual transactions?included in Level 3–have validated compliance, little changed from the 51% Visa reported this spring. Another 22% are in remediation, up from 16%. Visa did not report a compliance rate for Level 4 merchants, which includes those handling less than 1 million transactions a year. Though these merchants are obliged to comply with PCI, they aren't obliged to validate compliance. The network recently issued a requirement that acquirers submit plans showing how these merchants, which account for almost one-third of Visa transactions, would comply (Digital Transactions News, July 18). These plans are due Tuesday. Compliance has moved upward slightly with processors and independent sales organizations, Visa says. Some 88% of processors now comply, compared to 87% earlier this year. The rate among third-party sales agents now stands at 65%, up from 62%. PCI, which is backed by all the major card companies, includes a dozen broadly based security requirements covering areas ranging from firewalls to passwords to data storage and encryption.