PCI Report Poses a Quandary: Where Did 1 Million Merchants Go?

The biggest merchants are moving toward 100% compliance with the Payment Card Industry data-security standard, or PCI, but compliance among small card acceptors remains much lower, according to second-quarter statistics from Visa Inc. None of that is a surprise given PCI compliance trends in recent years. But just how far small merchants lag large ones in meeting their PCI obligations is a matter of debate, as is the actual number of low volume, card-accepting merchants. Visa doesn't give a compliance statistic for the so-called Level 4 merchants, the small businesses that submit fewer than 1 million Visa transactions annually. They comprise 99% of the network's U.S. merchant base but account for only 32% of transaction volume. Instead, Visa's report says PCI compliance among Level 4 merchants is “moderate,” but doesn't define the term. In fact, the report says “moderate” applies only to those merchants with standalone payment terminals; PCI compliance is “lower among merchants using integrated payment applications.” A Visa spokesperson was unavailable on Thursday for clarification. While massive data breaches at big retailers and merchant acquirers such as TJX Cos. and Heartland Payment Systems Inc. get the headlines, most breaches actually occur at Level 4 merchants. The payment networks and acquirers in the past two years have ramped up their efforts to improve small-merchant data security, but they have a big task. In a December 2008 story, Digital Transactions magazine estimated the number of PCI-compliant Level 4 merchants at below 10%. Visa's latest report, posted in mid-August, reveals another curious numerical quirk. It estimates the number of Level 4 merchants at about 5 million. But in a PCI report for June 2007, Visa estimated the number of Level 4 merchants at about 6 million, says Gartner Inc. technology and security analyst Avivah Litan. She interprets that reduction to be a result of PCI causing networks and acquirers to look hard at where their transactions come from and thus make their counting more accurate. “PCI is forcing Visa to get a better handle on who's connecting to them,” she says. That same phenomenon probably is evident in a reverse way in counting the number of agents, or independent sales organizations and smaller processors that feed transactions into larger processors that have direct access to the VisaNet backbone system, she adds. In mid-2007, Visa estimated it had 451 agent or “downstream” processors. Two years later, Visa puts the agent number at 808. More than 350 net new downstream processors probably haven't entered the payment card business since 2007, according to Litan. “In my opinion, it means Visa is clearing up its network and is gaining a transparent view into its connections,” she says. Visa reported having 78 processors with direct VisaNet connections in June versus 76 two years ago. Meanwhile, the new report says PCI compliance among the largest merchants, the so-called Level 1 and Level 2 card acceptors, is at 95% and 93%, respectively. Level 1 merchants, which currently number 352, generate more than 6 million Visa transactions annually while the 895 Level 2s submit 1 million to 6 million transactions. Collectively the Level 1 and Level 2 merchants account for 63% of Visa transactions. Visa pegs the rate of PCI compliance among the estimated 2,482 Level 3 e-commerce merchants only as “moderate.” But in its report for 2008's fourth quarter, Visa said 57% of Level 3s had validated PCI compliance, with another 19% having submitted reports for validation or in remediation, and yet another 23% in the process of initial validation. Level 3 merchants are online businesses that generate 20,000 to 1 million Visa transactions annually and account for less than 5% of network volume. A Visa source tells Digital Transactions News that because of the economy, churn in Level 3's ranks was starting to make percentage-based reporting lose its meaning. “Literally hundreds of merchants are moving in and out of the Level 3 category on a month-to-month basis,” the source says. “Any percentage reporting would have given a false impression about compliance when in fact the base number of merchants was changing.” Some 97% of the direct VisaNet processors are PCI compliant, while 80% of the agent processors are, Visa says. Ninety-nine percent of both Level 1 and Level 2 merchants are confirmed as not storing data prohibited by the PCI standards. Visa says “high” numbers of direct and agent processors do not store prohibited data, but the report does not give percentages. Noting the high-profile data breaches in the past three years, Litan says Visa's latest compliance report “basically tells us a lot of companies spent a lot of money on a checklist. They're more secure, but they're not impenetrable. It's clear that determined criminals can break through.”