The Latest PCI Compliance Stats Disappointing For Level 3s
Written by Walt Conway and Evan SchumanThe latest PCI compliance stats—released by Visa this month—are a mixed bag, with Level 1s plateauing at about 15 major chains still non-compliant. But at the small and midsize merchant level, the numbers are so unimpressive that Visa has given up specifying the numbers. Not a good sign.
We now have three years of data to examine—2007 through 2009—so, to the extent that Visa has used the same categories during that time, we can add a bit of context to this information.
Small merchant compliance is a big deal because they account for roughly one-third of all Visa card transactions. But about the best Visa can report for this segment right now is that its rate of compliance is “moderate.”
Compliance for Level 3 merchants—primarily E-tailers with between 20,000 and 1 million Visa transactions annually—is stagnant at a very low level. Visa reported that this group of roughly 2,500 merchants was 54 percent compliant at the end of 2007. Fair enough. There are more Level 3 merchants; they are not always big enough to show up on acquirers’ radar; and Visa’s Compliance Acceleration Program (CAP) focused on their larger L1 and L2 brethren. Sadly, the data for 2008 showed almost no movement by L3 merchants, and now Visa has stopped showing their numbers altogether. It says only that compliance in this segment is “moderate.”
(Related story: New PCI Details: Changes For Network Segmentation, One-Way PAN Hashing, End-To-End Encryption)
We have no idea what “moderate” means. Is it more than or less than 50 percent or 70 percent or any percent? What we do know is that Visa did not use words like “high” or even “really good,” which it could have. We’re wondering if this new language (which first appeared, we believe, in the September 2009 Visa report) is a tacit admission that there hasn’t been much progress. Maybe it’s just too hard to track. In the absence of any kind of numbers since 2008, we have to rate L3 compliance as an industry Fail.
The PCI compliance situation for the smaller merchant universe—the millions of Level 4 merchants—is even murkier. Visa didn’t even attempt to track compliance for these merchants who, by the way, account for roughly one-third of all Visa transactions annually.
There is no data for 2007 or 2008 and, as of 2009, Visa says only that compliance in this segment is—wait for it—”moderate.” Except this time we get a footnote stating “Level 4 compliance is moderate among standalone terminal merchants, but lower among merchants using integrated payment applications.” So now we have “moderate” and “lower than moderate.” Perhaps “lower than moderate” is somewhere below “moderate” and slightly above “let’s not go there.” We can only grade this result as another Fail.
As for the major retailers, Visa classifies merchants having more than 6 million Visa transactions a year as Level 1. These retailers account for half of all Visa transactions annually. At the end of 2007, only 77 percent of L1 merchants were PCI compliant. Two years later, the rate shot up to 96 percent while the number of merchants actually increased slightly (from 326 to 360).
We’d love to know which are the 15 or so L1 merchants that are not compliant.
-Marc
April 15th, 2010 at 11:29 am
Why would companies be jumping to get PCI compliance if it is not mandated by law? Especially when they can hold off as long as possible and then get compliance without wasting each year’s audit fee since 2007 (per article’s start date)… so companies who got on board back to 2004 got screwed by paying yearly fees since then.
April 16th, 2010 at 3:04 pm
@cestmoi, Thanks for your comment, but I have to disagree with such a cynical view of PCI and the benefits of compliance. Companies should want to be compliant to protect their customers and their brand. If you are going to take payment cards then you have an obligation to be secure. Being PCI compliant and – more importantly – being secure is important to your business and your customers. Rather than being a waste, PCI compliance is a smart investment.
I guess you could avoid compliance and try to fly under your acquirer’s radar, or you could lie on your SAQ. But you do not really benefit by such action. You increase your risk of an expensive data breach which is more expensive than being compliant and, hopefully, secure. In other words, if you think compliance is expensive, noncompliance can cost more.
April 20th, 2010 at 6:06 pm
PCI can unlock IT budgets, so it’s important to determine the cost of compliance. However, I’m with you, Walt, that the cost of non compliance is way higher than that of compliance. Surveys show the average cost of a data breach being $6.6 million. With this info, it’s very easy to argue that compliance is not expensive.
One of the reasons why a breach is so expensive is because breaches go undiscovered and uncontained for weeks or months. Imagine leaving the door to your home wide open, and not finding out what robbers stole for months! It could get very expensive. Close that breach to detection gap and you can control the damages to your organization much quicker.
May 28th, 2010 at 4:21 pm
PCI compliance is a money making thing for scan companies and Visa/MC is in bed with these companies. Getting scanned and submitting a report to the banks will not stop a hacker. If you still get hacked even though you have every safety element possible on your site, the banks will still fine the merchant. Period. Where are the banks saying that if you submit PCI scan and self assessment to then quarterly, then you are off the hook if you get hacked? They will still find a reason to fine the merchant. Why are merchants going to pay for scumbags crimes?