More Big Merchants Comply, But PCI Likely Still Foreign to Small Fry

New data from Visa Inc. show more of the largest merchants now meet the Payment Card Industry data-security standard, or PCI. But the level of validated PCI compliance among small merchants?the overwhelming majority of businesses that accept credit and debit cards?likely remains much lower. Visa's latest figures show 81% of so-called Level 1 merchants and 85% of Level 2 merchants had their PCI compliance validated as of Aug. 31. That's up from 77% and 78%, respectively, as of March 31, the date of Visa's last public PCI update. Level 1 merchants generate more than 6 million Visa transactions annually while Level 2 merchants submit 1 million to 6 million transactions. The universe of these big merchants is small, only about 1,400 among more than 6 million card-accepting merchants in the U.S., but they account for approximately two-thirds of Visa transactions. Data Visa sent to Digital Transactions News on Tuesday did not have the range of information Visa has posted in the past on its merchant Web site about PCI compliance among Level 1, 2, and 3 merchants. Visa didn't have new numbers about Level 3, the tier that consists of e-commerce-only merchants submitting 20,000 to 1 million transactions annually. On March 31, the Level 3 PCI compliance validation rate was 56% in a population of 2,616 merchants collectively generating fewer than 5% of Visa transactions. Another 19% of the Level 3 merchants were correcting problems found in their initial tests, and 24% were in the initial phases of PCI compliance validation. That leaves Level 4?merchants who submit 20,000 or fewer Visa e-commerce or up to 1 million total transactions annually. These small merchants present an outsized security risk. They often have old point-of-sale equipment running outdated software that stores card numbers and related data useful to fraudsters intent on making counterfeit cards. Their computers may lack firewalls and other protections that would stop hackers from accessing sensitive data. It's no surprise that small merchants account for a disproportionate share of payment card data breaches, though the damage from them is much smaller than that from a big breach such as the one at TJX Cos., a large international retailer where a computer intrusion announced last year exposed at least 40 million card numbers to fraudsters. “What we see is that about 85% of the reported compromises come from the Level 4s,” says Diana Greenhaw, business leader with Visa's payment system security compliance group. Greenhaw spoke with Digital Transactions News' sister publication Digital Transactions magazine for an upcoming story about Level 4 PCI compliance. While small merchants are bound by PCI's strictures just like their bigger brethren, data about their compliance rates are scarce. Individual acquirers, which are directly responsible for PCI enforcement, may require their small merchants to validate their PCI compliance, but Visa has not mandated validation on a networkwide scale because of the difficulties in gathering data from such a large and diverse merchant population, according to Greenhaw. And even several acquirers contacted by Digital Transactions could not say with certainty what the PCI compliance rate is in their portfolios. But one payment-industry executive who asked for anonymity estimates the validated compliance level is much lower than those of the other tiers, very likely in the single digits as a percentage. Now, though, the Level 4s are getting more attention. Visa, the biggest card network, asked its acquirers to submit plans by the middle of 2007 on how they would get their small merchants compliant with PCI. All 200-plus U.S. acquirers produced plans, Greenhaw says. Visa asked for an update of those plans by June 30 of this year, and another status report is due Dec. 31, she says. Visa also is working with business groups, trade associations, and merchant acquirers to spread the word among small businesses about the need to improve card security. For example, Visa and the U.S. Chamber of Commerce recently concluded their 12-city “Drop the Data” tour. That effort had Visa representatives speaking at meetings of local Chamber affiliates. Visa also has done Webinars with the National Federation of Independent Businesses.