Visa Starts to Put Small Merchants Under Its PCI Microscope

More large merchants now meet the dictates of the Payment Card Industry data-security standard, or PCI, according to new numbers from Visa U.S.A. At the same time, Visa, the biggest payment-card network, is turning its security attention to small merchants, the source of the majority of data breaches. Visa and the other general-purpose card networks consolidated their individual data-protection rules under the PCI umbrella in early 2005 and last year created the PCI Security Standards Council to foster broad adoption and future technological development of the standards. Each network, however, administers PCI. Eduardo Perez, Visa vice president of payment system risk, tells Digital Transactions News that 39% of 327 so-called Level 1 merchants, those that generate more than 6 million Visa transactions a year, were PCI complaint as of June 30 compared with 18% about a year earlier. (Last year Visa said it had only 230 Level 1 merchants; today's higher number, according to Perez, is the result of natural growth by some merchants and changes in the way some acquirers aggregate their merchant portfolios.) Another 50% of Level 1 merchants were in “remediation” as of June 30, which means they've gone through a compliance assessment and are working to correct identified deficiencies. That means 89% of the biggest merchants meet or are close to meeting PCI standards as Visa's Sept. 30 Level 1 compliance deadline approaches. Level 2 merchants, those generating 1 million to 6 million annual Visa transactions, aren't as far along, though they have a later compliance deadline, Dec. 31. According to Perez, 33% are complaint while an additional percentage in the “high 20s” is in remediation. PCI compliance is at 52% for Level 3 merchants?those generating 20,000 to 1 million Visa e-commerce transactions annually. This group currently does not have an explicit compliance deadline. Now Visa is turning its attention to its smallest, or Level 4, merchants?those that generate fewer than 20,000 Visa e-commerce transactions or 1 million total Visa transactions annually. In May, Visa distributed a bulletin to its 270 merchant acquirers saying they had until July 31 to submit plans on how they intend to bring their Level 4 merchants into PCI compliance. Visa disclosed the bulletin publicly last week. Even though small merchants are the source of less than 5% of potentially exposed cardholder accounts from data thefts, Visa's rationale for PCI compliance is that Level 4 merchants were the source of 80% of identified compromises since January 2005. Also, the sheer size of the Level 4 group?more than 6 million locations accounting for 99% of Visa's merchant base?makes it too big to ignore. “We gave [acquirers] factors to consider in how they should risk-prioritize their population,” says Perez. After setting compliance dates and sorting their portfolios by risk, the bulletin says acquirers should then focus most of their attention on their biggest and riskiest merchants. It further asks acquirers to state their plans to educate merchants about data security and PCI compliance. Compliance strategies are to include steps to eliminate storage of prohibited magnetic-stripe information such as Card Verification Value 2, or CVV2, and PIN data. Storage of such data, especially by older point-of-sale payment-processing software systems, is a major source of data breaches. Compliance strategies also must address the third parties acquirers use, such as independent sales organizations. The May bulletin is unlikely to be the last word small merchants hear from the payment networks about card security. Perez says Visa is considering possible rules that would address vulnerabilities in payment-processing software applications, though he would not go into specifics. The bulletin says acquirers failing to meet the July 31 deadline are subject to “risk controls,” which it doesn't define, but Perez says Visa isn't trying to wield a club over them. “We obviously don't want it to be a burden,” he says, noting that acquirers have considerable discretion in developing their compliance plans. “We do have the option of imposing risk controls and fines, but that's not the path we want to go down,” he says. “We're seeing a very positive response from our acquirers.” Some have already submitted plans to get incentives Visa is offering for accelerated PCI compliance, he adds. Merchant-acquiring executives familiar with the small-merchant sector say they don't view Visa's May bulletin as onerous. John Hamby, the senior vice president at New Haven Conn.-based NewAlliance Bancshares Inc. who oversees a portfolio of 3,500 mostly local and regional merchants that generate about $1 billion in annual card volume, says the bulletin is “reasonable in the broad sense. We need to know as the acquirer who our high-risk [merchant] is. This is sort of a wake-up call.” Processing consultant Paul R. Martaus, president of Mountain Home, Ark.-based Martaus & Associates, says some sort of deadline for small-merchant PCI compliance is a good idea. “They have to keep moving forward or nothing ever will get done,” he says. But small merchants present their own security challenges, he notes. While many are not targets of hackers because of their low volume and because they still use dial-up POS terminals that don't have Internet connections, some use voice-over-Internet connections that don't encrypt transaction data at all. According to a recent survey by Visa and the National Federation of Independent Business trade group, 57% of small businesses do not see securing customer data as something that requires formal planning, and 39% say they rely on common sense to keep data safe. Visa and the NFIB have developed free educational materials and tools that will become available Aug. 1 on the NFIB's Web site to help small businesses guard against data fraud, Visa said in a release. According to Perez, 96% of levels 1 and 2 merchants have affirmed that they do not store track data from mag-stripes. But all it takes is one breach at a big retailer to do serious damage, as shown by last winter's disclosure by off-price retailer TJX Cos. that hackers had compromised sensitive data from more than 45 million card accounts stored on its computer systems (Digital Transactions News, March 29).