New Visa PCI Compliance Stats: Level 1s Up, Level 3s Down Slightly, Level 2s Down Sharply
Written by Evan SchumanLevel 3 merchants, whose compliance Visa only started making public this summer, have seen their relatively weak compliance numbers drop further, according to new figures the card brand released Monday (Oct. 31). Level 2 chains saw an even stronger drop, while Level 1s continued their improvement trend.
Level 1 chains process more than six million Visa transactions a year, Level 2s process from one to six million and Level 4s process fewer than one million such transactions, while Level 3s handle 20,000 to one million online Visa transactions a year. The initial Visa stats covered activity ending June 30 and showed 60 percent Level 3 compliance. The new stats, ending September 30, report 57 percent compliance among these merchants. The numbers on their own are somewhat of a concern, given that compliance in any group is supposed to steadily improve. That’s especially true with a new entry, such as Level 3s, which start at such a relatively low level of compliance.
In this instance, though, the explanation for the compliance dip might lie in a recent increase in the number of Level 3s trying to get compliant. The June figures showed 3,024 Level 3s and the new September stats show 3,049, an increase of 25 retailers. Given that new PCI merchants—especially Level 3s—might need more time to prove compliance, those new players could easily account for the three percent compliance drop.
In other PCI compliance details, Level 1 chains continued a trend this year of improving compliance. The June figures showed 97 percent compliance, which improved on the long-held 96 percent rate. The newest stats, however, reflect 98 percent compliance. And showing Level 3s how it’s done, Level 1s achieved that 98 percent with 407 retailers—an increase from June’s 377. In short, Level 1s—unlike Level 3s—showed that you can increase your ranks and still increase compliance. (I know, Level 1s. What are we going to do with these kids these days?)
Level 2 merchants saw a much steeper change than the other groups, dropping from 96 percent compliance to 91 percent. The Level 2 population increased from 881 to 1,060, which might have helped in its compliance decline. But a plunge from 96 to 91 percent might need more than a population change to be explained. Are Level 2s losing PCI interest? Without more details from Visa about the reasons behind the compliance drop, it’s impossible to determine an exact cause.
The card brand on Monday continued its practice of not reporting compliance figures for Level 4s, saying only that Level 4 compliance is “moderate.” Given the declines for Levels 2 and 3, Visa’s continued silence on Level 4s can’t be good news.
-Marc
November 2nd, 2011 at 7:45 pm
One possible explanation for the drop in Level 2 compliance is MasterCard’s new compliance validation regime. This new (this year) process requires merchants have either a QSA or the company’s own Internal Security Assessor (ISA) sign off on their PCI compliance.
Based on my experience, there can be a world of difference between a company completing their own Self-Assessment Questionnaire (SAQ, aka the PCI honor system) and proving to an independent assessor that you meet each requirement and can prove it.
The new MasterCard compliance standards may be having the desired effect of improving not just compliance, but also security.
November 14th, 2011 at 12:15 pm
Mastercard pushed back the requirement for a QSA or certifed ISA to 2012. If the compliance percent went down this year, just wait unitl MasterCards compliance standards take effect next year.